Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Not a security issue, but I found a bug' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Not a security issue, but I found a bug
Authored by: IndexCOR Steffan on Jun 05, '04 07:11:51AM

From what I see, it doesn't look like a security issue, but I did find a weird bug. Does anyone else seem to get it?

To reproduce the bug:

• Log in as any Admin or non-Admin user - open up 3-4 apps, make sure the screensaver is password-protected, then switch it on.
• After switching it on, move the mouse to bring up the Security Dialogue. Rather than entering your username + password to unlock the screensaver, click "Switch User Account".
• You should be on the login screen. Log in as another user (must be an Admin).
• Open activity monitor on this account and select "Show Other User Processes".
• Locate a process named "ScreenSaverEngin" for the username of the account that has the screensaver active. You may have to wait a few minutes for it to appear.
• When it appears, click the "Quit" button and do a force quit. Enter your administrator username and password.
• If the process does not go away, keep force quitting it (it took me 3 attempts) until the process disappears.
• Use the fast user switching menu to switch to the account with the screensaver active.
• You should get a black box in the middle of the screen. On the keyboard, press "Command + Alt + Esc", then press return. Repeat this action for the same number of applications you opened at the beginning, which should be 3-4 (what you are doing is force quitting the applications of that user).
• Put the computer to sleep.
• Wake the computer from sleep.
• You will now see the Security Dialogue for the screensaver. Enter your username and password to log back in. As you can see, all applications have been force quit.



[ Reply to This | # ]
Not a security issue, but I found a bug
Authored by: rhowell on Jun 05, '04 01:44:19PM

Wouldn't it be faster enter your admin username and password in the other user's screensaver login box, and then quit all of his/her applications? I don't see the difference.



[ Reply to This | # ]
Not a security issue, but I found a bug
Authored by: IndexCOR Steffan on Jun 06, '04 07:49:42AM

oh! I didn't know that was possible. I guess I went the long way round.



[ Reply to This | # ]
Not a security issue, but I found a bug
Authored by: babbage on Jun 06, '04 08:19:09PM
There's a far, far easier way to do this.
  1. Pick a neighbor with a currently locked screen saver on a computer on which you have admin access
  2. ssh into that person's computer.
  3. Execute this command:
    sudo kill -9 \
    `ps ax \
    | grep -i 'scree[n]saver' \
    | awk '{print $1}' \
    | fmt`
    (You could also use killall -9, but I forget what the screensaver process is called and this variant should be more flexible.)
  4. Walk over to your neighbor's computer; the screensaver & the screensaver password should be gone now.

Granted, this is more complex in that it requires having a second computer to log into the target machine (though it doesn't have to be a Mac ) and it depends on the target machine having ssh access (though that's probably not an unreasonable assumption). But otherwise, this seems like a more straightforward variant of the same attack.

Note also that this attack probably works on Linux & other *nix systems as well -- anywhere multiuser system where the locked screensaver is likely to show up as an identifiable running process and admin level users can manipulate those currently running processes.

It's debatable whether or not it counts as a vulnerability though so much as an example of one of the innumerable unpleasant things that can be done with full administrative access to someone's computer, and an object lesson in why it's a good idea to give out admin access carefully.

---
--
DO NOT LEAVE IT IS NOT REAL

[ Reply to This | # ]