Announcement

Collapse
No announcement yet.

An Easy But Serious Screensaver Security Problem In X.Org

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Yup, it works in Fedora 16!

    Comment


    • #12
      Originally posted by gururise View Post
      Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
      It's already fixed btw.
      https://bugs.archlinux.org/index.php...&task_id=27993

      Comment


      • #13
        Originally posted by Kano View Post
        This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers
        The bigger issue is having a browser open logged into somewhere. A reboot will not get you there, this will.

        Comment


        • #14
          Well it does not expose root rights until you have got a root terminal open all the time. But when you reboot with correct options you are root.

          Comment


          • #15
            Again, having root on a system you may be able to cause less damage than with a logged in browser.

            Comment


            • #16
              (not obviously counting APT where after getting root he will install a keylogger etc, but someone passing by when you go get something)

              Comment


              • #17
                Originally posted by Kano View Post
                Well it does not expose root rights until you have got a root terminal open all the time. But when you reboot with correct options you are root.
                Unless you have your disk encrypted, then when you reboot you're exactly nobody (sure, you can manipulate the kernel but lets not go there..).

                Btw also fixed in debian unstable now http://packages.qa.debian.org/x/xorg...9T101901Z.html

                Comment


                • #18
                  Originally posted by not.sure View Post
                  Unless you have your disk encrypted, then when you reboot you're exactly nobody (sure, you can manipulate the kernel but lets not go there..).
                  You also can lock your BIOS and set a password for editing bootloader's commands. Of course you should also lock your PC case In addition to crypted storage this may be a little nervous for attacker.

                  Comment


                  • #19
                    Arch Linux, Gnome 3, xkeyboard-config version 2.4.1-2 (w/o the patch), Thinkpad W500 with a swedish laptop. I have not been able to unlock the screen. What log file is supposedly printed to? Hmm, which is Keypad-Multiply on this keyboard?

                    Comment


                    • #20
                      @mcdebugger

                      Better: set a hd pw in the bios if possible. Even better: get a hd/ssd with integrated encryption. Even without that removing the hd and connecting to another pc will not allow immediate access to modify data. That could be done only by professionals.

                      @korpenkraxar

                      Most likely you need the fn key to get the blue *.
                      Last edited by Kano; 01-19-2012, 04:56 PM.

                      Comment

                      Working...
                      X