[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1232 - 32 msgs
dbounds at intrusense.com
Tue Oct 28 19:19:34 GMT 2003
I was successful in changing the password of current user (myself) with
an open terminal in focus on the desktop.
Intrusense - Securing Business As Usual
> Date: Tue, 28 Oct 2003 17:46:41 +0100
> From: kang <kang at insecure.ws>
> To: full-disclosure at lists.netsys.com, bugtraq at securityfocus.com
> Subject: [Full-Disclosure] [securemac] Local vulnerability: MacOSX
> Screensaver locking bypass.
> Mac OS X 10.3 Panther Screen Lock Bypass
> *Advisory Title*: Keys Getting Past Panther Screen Lock
> *Release Date*: 2003 October 28
> *Affected Product*: Mac OS X 10.3 Build 7B85
> *Severity*: Low
> *Impact*: Security Bypass
> *Where*: Local System
> *Author*: CodeSamurai (codesamurai at mac.com)
> With access to the keyboard, an unauthorized user can access the
> currently active screen-locked user environment. However, there is only
> a relatively small opening in the period of time in which the keys
> events get through; completing complicated operations at the keyboard
> have shown to be highly tedious in actual practice thus far.
> With the screen effect active, keys pressed before the authentication
> window appears will be sent to the general user environment.
> *PRACTICAL TESTS*
> Tested Examples:
> - An open word processing document can be typed in.
> - Shortcut operations via the keyboard are executed.
> - New windows can be spawned.
> - New folders can be created in the Finder.
> - Switching between running applications is possible.
> - One can navigate through the file system and launch applications.
> - Terminal was launched and binary was executed from the command line.
> Although the potential risk due to malicious intent via this
> vulnerability is obvious, tentatively it appears that in real-world
> practicality, the impact will most likely be statistically small. (But
> chain is only as strong as its weakest link.)
> *SecureMac Notes*: For the first-time-user actually executing anything
> useful before the screen lock appears is hard. For the user who
> practices and knows where items are stored and can quickly move around
> with the keys could change information or even disable authentication
> and gain access to the desktop.
> Full advisory is available here:
> Full-Disclosure mailing list
> Full-Disclosure at lists.netsys.com
> End of Full-Disclosure Digest
Full-Disclosure is hosted and sponsored by Secunia.