Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Nov 2003 14:51:52 -0800
From:      Terry Lambert <tlambert2@mindspring.com>
To:        "Eugene M. Kim" <ab@astralblue.net>
Cc:        current@freebsd.org
Subject:   Re: xscreensaver bug?
Message-ID:  <3FB6AE08.98235EF4@mindspring.com>
References:  <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com> <3FB3B4FB.1050304@astralblue.net> <3FB4A095.AF27549F@mindspring.com> <3FB5524E.30107@astralblue.net>

next in thread | previous in thread | raw e-mail | index | archive | help
"Eugene M. Kim" wrote:
> Validating a root password is possible with other means in many cases,
> if not always.  OpenSSH sshd is a good example.  Even with
> PermitRootLogin set to no, the attacker can differentiate whether the
> password has been accepted or not.

That's because the software in question sucks, not because it's a
natural property of all such software.


> If attacker is able enough, he could also run a hacked version of Xnest
> on port 6000+N and the real xscreensaver on :N.0 for a suitable N.
> Attacker would feed the real xscreensaver with the captured password and
> see if the real xscreensaver releases the server grab.

Yeah, and any user on the system could put up a trojan that put up
a window that pretended to be the login screen instead of a screen
saverm since that would be much asier, and harvest passwords that
way, instead, after pretending the first login failed.

I don't really see your point... any time you have more than one
user using the same console, it's possible to create a trojan.

-- Terry



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FB6AE08.98235EF4>