lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AA49B424-097B-11D8-8E59-000A95820F5E@intrusense.com>
From: dbounds at intrusense.com (Darren Bounds)
Subject: Re: Full-Disclosure digest, Vol 1 #1232 - 32 msgs

Verified.

I was successful in changing the password of current user (myself) with 
an open terminal in focus on the desktop.


Darren Bounds
Intrusense LLC.
http://www.intrusense.com

--
Intrusense - Securing Business As Usual



> Date: Tue, 28 Oct 2003 17:46:41 +0100
> From: kang <kang@...ecure.ws>
> To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
> Subject: [Full-Disclosure] [securemac] Local vulnerability: MacOSX 
> Screensaver locking bypass.
>
>
>       Mac OS X 10.3 Panther Screen Lock Bypass
>
> *Advisory Title*: Keys Getting Past Panther Screen Lock
> *Release Date*: 2003 October 28
> *Affected Product*: Mac OS X 10.3 Build 7B85
> *Severity*: Low
> *Impact*: Security Bypass
> *Where*: Local System
> *Author*: CodeSamurai (codesamurai@....com)
>
> *VULNERABILITY*
> With access to the keyboard, an unauthorized user can access the
> currently active screen-locked user environment. However, there is only
> a relatively small opening in the period of time in which the keys
> events get through; completing complicated operations at the keyboard
> have shown to be highly tedious in actual practice thus far.
>
> *EXPLOIT*
> With the screen effect active, keys pressed before the authentication
> window appears will be sent to the general user environment.
>
> *PRACTICAL TESTS*
> Tested Examples:
> - An open word processing document can be typed in.
> - Shortcut operations via the keyboard are executed.
> - New windows can be spawned.
> - New folders can be created in the Finder.
> - Switching between running applications is possible.
> - One can navigate through the file system and launch applications.
> - Terminal was launched and binary was executed from the command line.
>
> *CONCLUSION*
> Although the potential risk due to malicious intent via this
> vulnerability is obvious, tentatively it appears that in real-world
> practicality, the impact will most likely be statistically small. (But 
> a
> chain is only as strong as its weakest link.)
>
> *SecureMac Notes*: For the first-time-user actually executing anything
> useful before the screen lock appears is hard. For the user who
> practices and knows where items are stored and can quickly move around
> with the keys could change information or even disable authentication
> and gain access to the desktop.
>
>
> Full advisory is available here:
> http://www.securemac.com/macosx-screenlock-bypass.php
>
>
>
>
>
> --__--__--
>
> _______________________________________________
> Full-Disclosure mailing list
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>
> End of Full-Disclosure Digest
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ