Date: Fri, 14 Nov 2003 14:08:14 -0800 From: "Eugene M. Kim" <ab@astralblue.net> To: Terry Lambert <tlambert2@mindspring.com> Cc: current@freebsd.org Subject: Re: xscreensaver bug? Message-ID: <3FB5524E.30107@astralblue.net> In-Reply-To: <3FB4A095.AF27549F@mindspring.com> References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com> <3FB3B4FB.1050304@astralblue.net> <3FB4A095.AF27549F@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert wrote: >"Eugene M. Kim" wrote: > >>Terry Lambert wrote: >> >>>>I'm new in FreeBSD. I found that after I lock screen with xscreensaver, >>>>I can unlock it with the root's password as well as my normal user's >>>>password. I don't think it is a good thing. Is it a bug? >>>> >>>It is intentional, although you can eliminate it with a recompile >>>of the xscreensaver code, with the right options set. >>> >>Wouldn't this lead to another security hazard, if a user compile his own >>hacked xscreensaver which captures and stashes the password into a file >>then runs it and leaves the terminal intentionally, `baiting' root? :o >> > >Not really. This type of thing would need to accept pretty much >everything as a termination password, since there no password it >can legitimately validate, since a user compiled trojan like this >would not have access to the password database contents in order >to perform validation. > >If the trojan is SUID, then they already have root, and don't need >the trojan. > >Either way, there's no risk to just typing whatever crap you want >to at it, including a message calling the user an idiot, the first >time, to see if it's going to let you in without you giving it the >real root password. > Validating a root password is possible with other means in many cases, if not always. OpenSSH sshd is a good example. Even with PermitRootLogin set to no, the attacker can differentiate whether the password has been accepted or not. If attacker is able enough, he could also run a hacked version of Xnest on port 6000+N and the real xscreensaver on :N.0 for a suitable N. Attacker would feed the real xscreensaver with the captured password and see if the real xscreensaver releases the server grab. Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FB5524E.30107>