lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 2 Aug 2003 03:42:37 -0500 (CDT)
From: Mark Tinberg <mtinberg@...urepipe.com>
To: Patrick Haruksteiner <haruk@....at>
Subject: Re: Another Mac OS X ScreenSaver Security Issue (after Security   
 Update 2003-07-14)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:

> I discoverd another security issue with the Mac OS X screensaver.
> If you have installed escapepod from Ambrosia Software and hit
> crtl-alt-delete(==backspace) when the screensaver with password
> protection is running, it kills the screensaver and the desktop is
> open to anybody - so it has the same effect as the recently
> emerged password-exploit.
> I expected that there should be a forced logout, if the screensaver
> dies... - but there is no such behavior...
>
> I have allready reported this to product-security@...le.com, but
> as usual with no reply...
>
> Tested on this System Configuration:
>
> Mac OS X 10.2.6 with Security Update 2003-07-14
> 1GB RAM
> 1GHZ PowerBook G4
> escapepod 1.0.0d3 from http://www.ambrosiasw.com/utilities/
> freebies/

I'm surprised at all the confusion about this issue from the people on the
list.  It seems to me that the responsibility for fixing this problem is
Apple's and that the correct course of action is for the screen lock
utility to block _ALL_ access to keyboard and mouse events for any other
process.  When the screenlock is running, it should:

1)  Always be on top of other windows.  The window manager should not
    allow windows to popup over the screensaver, and certainly not allow
    them input
2)  All input should be bound to the screensaver process, no other other
    process should be allowed keyboard/mouse[0] input.  Certainly all
    hotkeys should be disabled
3)  For extra points, in event of failure, system should immediately log
    out the console user.  It should fail closed if possible, rather than
    give away console access in the event of an error.

There are probably a few other responsibilities that a screen lock has
that I can't think of at the moment, but the main thrust is that a screen
lock should enforce security policy within its realm of responsibility.

- -- 
Mark Tinberg <MTinberg@...urepipe.com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67


[0]  Or really any HID or ADB device.  It might be easier and safer to
     just disable everything that isn't a keyboard.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/K3l+Fu7F5OUjbGcRAmeEAJwPwx2A3kXC9aOikXOSfPZ0/Pr2ygCeOf0a
VlGpRBfYTM7/tFO9lVntl9Q=
=cEWK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ