mate-screensaver screen lock can be bypassed by power cycling monitor [$110] #155
Comments
|
I've placed a bounty on this; how do I get the bounty label added? |
vkareh
changed the title
|
I have also several reports open at redhat Bugzila about problems with locking the sceen. |
|
Does someone knows if this affects also earlier versions of mate-screensaver? |
|
Also, maybe mate-screensaver should be completely archived? I have now switched to xscreensaver after reading this https://www.jwz.org/xscreensaver/toolkits.html |
|
xscreensaver has a security history that does not make it ideal. |
|
@phocean, can you please refer to links? Better explain? |
|
I lost faith in the utility with CVE-2015-8025: https://bugzilla.redhat.com/show_bug.cgi?id=1274452 I don't want my security to depend on a single utility that may segfault for various reasons, leaving the computer unlocked. There is also an issue with most lockers on Linux : when you wake up your computer from suspend, it would show your desktop for about 1 second. Enough for a motivated attacker to take a photo of confidential data, for instance, or even trigger a mouse click (mouse event work during this period). This is just one of the many reports you can find on Internet: https://bugzilla.redhat.com/show_bug.cgi?id=713640 Having a secure locking infrastructure is far from trivial, much more complex than it seems at first. To my knowledge, only Gnome 3 with gdm managed to do something quite robust (modulo the screen flash issue). The idea is that I don't want my locking session to depend on a simple X program. If there is a segfault, like in the DM, I would prefer it crashes my entire session if it has to, so that it gets never unlocked by an attacker. Anyway, I believe such an architecture will be a requirement for Wayland. |
|
@phocean you have referenced one problem with xscreensaver, while both gnome-screensaver and mate-screensaver (which is based on the former) have far more known CVEs ... |
|
@oz123 sure, I am not asking anything: you asked, I just explained. Can't it be addressed without coding? Regarding this issue, I managed to get something much more robust, and with a lower attack surface (fewer LoC) with xss-lock and slock (or i3lock). |
vkareh
changed the title
|
This sort of thing is another example of why when security REALLY counts, a machine should be turned all the way off (poweroff and not hibernated nor suspended) when not in use. This is mandatory when encryption is relied upon, and apparently important the rest of the time too. Any application written in any language can have bugs, especially when it may be compiled many ways and run in many distros. X screensavers in particular have issues bad enough that Wayland devs cited them as a reason for moving away from X altogether. This can be a real pain in the backside, so if anybody does manage to harden any screenlocker to the point that a serious, determined attacker can't recover your session, that will be worth a lot of saved time to a lot of people who are not using encryption, or who are in an environment where coworkers would not have long enough unsupervised access to attack encryption but might be able to sit at the machine long enough to power-cycle a monitor, suspend and restart(though this is reported to have the opposite problem), or execute a similar quick procedure. |
|
@lukefromdc I don't get your point, even though I am aware of these facts (and that is probably not the place for a discussion). The generic considerations you mention are not a valid reason to not harden the locker security. It took my collegues less than one minute to get a remote shell on my machine while I was just going to the restroom. Do not tell me that I should have turned off my computer in such a circumstance... Meanwhile, Windows goes as far as disabling DMA while the computer is locked... So, I am still convinced that using the DM is a much safer approach, so at least an unexpected crash takes also the session down. |
|
According to https://linux.slashdot.org/story/15/01/28/1520252/why-screen-lockers-on-x11-cannot-be-secure all screenlockers on X are actually only emulating screen locking. What they do is to draw their own fullscreen window over everything else and try to catch all keyboard and mouse input(latter part is really critical), but the problem is that Xorg itself does not treat the screenlocker as anything more than just another app. Still, this should not mean everything else gets drawn on top of the screenlocker or that it stop drawing at all, rather it's probably why so many X screenlockers show the desktop and applications for a second or so before finally rendering the lock screen on top of them. Three years ago, t he KDE folks put a lot of effort into hardening their screenlocker and plugging two nasty bugs, but then turned around and published this blog post with a lot of details about the limitations of Xorg screenlockers: Google is offering this screenlocker designed to be as secure as they can get it: As I have said elsewhere, I only have encrypted machines that must be shut down when unguarded, which is why I don't normally run a screenlocker but when someone has code up that might fix this I can build and test it. I don't have the experience in screenlockers to write this myself, having not poked around the app's code and familiarized myself with it like I have with Caja, mate-panel, the applets, etc. @raveit65 , @monsta, @sc0w,@vkareh, any ideas for this? EDIT: This is a really ugly bug, as the poster reports the lock screen stays down with this trivial attack EDIT2: The KDE folks also found as discussed in the second link that making screen locking a compositor task makes it much more secure, but of course in MATE we support multiple window managers. Still, we could implement some of that in Marco, and use a runtime check to see if Marco is running to use that codepath, and use the existing codepath with a security warning given if compiz or another WM is being used. Ideally that would also be ported to compiz-reloaded, perhaps as a plugin. |
|
@lukefromdc thank you for the interesting pointers. However, I disagree with your point with encryption. I work in infosec, so for sure my disk is encrypted too, plus secure boot, disk password and a few custom stuff... it just does not address the same threat at all. You may not need it for your use case (are you working at home?), but for sure many people need a strong screenlocker. |
|
I tried to reproduce https://bugzilla.redhat.com/show_bug.cgi?id=1566571 yesterday with my notebook (fedora 28) and a external monitor. I will try again with powering off or unplug the external monitor. @lukefromdc A girlfriend of mine use a mac notebook and she never shutdown her mac. She only use 'lid-close`, to power on/off their system. |
|
Btw. here is another locker , but last commit was from 2017 -_- |
|
Since the origjnal poster simply specifies "monitor" and not a particular monitor, I think this is about power-cycling the PRIMARY monitor, which would make this a desktop-only bug. A laptop would be OK as its monitor cannot be power cycled, but an office full of desktops running MATE would leave each workstation vulnerable to everyone else in the office once it got out that turning the monitor off and back on gave access. This is so simple it is guaranteed to be found by accidend in a large enough office. |
|
According to #145 (comment) |
|
I was able to reproduce the issue with my main box with nvidia-graphic and using one monitor at display-port.
But it isn't a clear reproducer, sometimes i had access to my desktop without a lockscreen-dialog, sometimes the dialog displays well. I think this gsettings key from mate-power-manager has an influence on this problem. Because with changing the value for this key i could trigger the issue again. I used those commands to debug mate-screensaver and mate-power-manger. Screensaver logs were interesting. In both cases they look very similar and the lockscreen-dialog seems to be running. Same with a working lockscreen. So why Full logs are here: |
|
I found a working workaround,.......using gnome-screensaver 😄
Other keys for g-s: That's enough for an office/gaming PC with one or 2 external monitors. I looked in to gnome-screensaver git commit history for a solution for mate-screensaver, but no luck yet. |
This is a follow-up to 5d4416a to fix mate-desktop#155
|
I am about to test this with an initial test install from master, trying to invoke the bug, then checking the PR to see if it is fixed. This issue is world-class ugly, and any security feature that can by bypassed by power cycling is a dangerous trap for the unwary. This is nearly as bad as the Android 5 bug where a failed attempt to encrypt the fs exits silently and appears to have succeeded. |
|
I could not get mate-screensaver to show the unlocking dialog with lightdm (and GTK 3.23), and whether because of this or something else power cycling the primary monitor with the secondary monitor staying OFF had no effect. If I pressed a key on the keyboard I got my desktop image as used also as a lightdm background, but no lightdm greeter or other password unlocking option. Thus, I cannot directly test this but at least the PR built and ran, with same behavior here either way |
|
@lukefromdc Edit: and is this key enabled? |
|
This was on a desktop, screen was locked and screensaver shown when locked from the main menu's panel-lock-launcher, just no login dialog ever. I have the gtk greeter in Lightdm |
|
@raveit65, I am using gentoo. |
|
Hmm, i am not really firm with packaging gentoo. |
|
@raveit65 the gentoo maintainer is practically me. I have used the ebuilds from here. My system runs with all mate components built from the current master branch. |
|
OK :) |
|
Not sure if this causes the issue but building against systemd and consolekit is wrong. |
|
@raveit65 np-hardass is missing practically. There are some people working on ebuilds for gentoo officially. I used their work to create my ebuilds. So it's only consolekit, it was configured with: |
|
But why consolekit and not systemd? |
|
@raveit65 consolekit in gentoo is consolekit2. Also, I don't think this error has anything to do with systemd or consolekit (at least that is what I understand from the crash backtrace I posted above). |
|
I love to control my box with systemd, using deprecated consolekit-1/2 isn't an option for me. Btw. Are you sure you applied 762ae73 correct? Did you restart the box? |
|
I applied the patch. It's also in the current master. The ebuild simply pulls the git master and compiles it. Good point regarding restart! OK, I have since yesterday restarted my laptop, and currently I can't crash mate-screensaver by unplugging. One issue which is still there yet, is that the screen flicker for a second, during this second the content of my desktop is shown. I tried a couple of times to capture the mouse and keyboard to prevent mate-screensaver from covering the whole screen. I failed (which is a good thing), but a I am afraid a more sophisticated tester would be able to somehow during this second kill mate-screensaver. |
|
I am so happy that you could solve your local problem :) |
|
That momentary flicker has been called out as a security issue in X itself, as this is apparently a common problem in screensavers that draw over the other X windows. Details earlier in this thread at |
|
@raveit65 , if MATE could support elogind too one could eventually dump consolekit2 |
|
@fizzfaldt @phocean Btw. mate-screensaver-1.20.2 with the fix is released. |
|
No problem for me, nice work! Thanks a lot ! |
#169 |
How to track the progress of this release for 18.04 LTS Mate? I ask, because with 18.04 Mate, on desktop with any 1 monitor, I can reproduce the issue easily by unplug the display cable (not the power). I tested with HDMI, DVI and DisplayPort. Very ugly issue. Videos: https://bit.ly/2VA4oaT + https://bit.ly/2CRui2t |
This ubuntu package version does not include a fix for this. They have 1.20.1 the fix is in 1.20.2, file a bug there so the package the newer version. |
|
Hi,
On Sunday, 6 January 2019, Oz N Tiram wrote:
> > mate-screensaver-1.20.2 with the fix is released
>
> How to track the progress of this release for 18.04 LTS Mate? I ask, because with 18.04 Mate, on desktop with any 1 monitor, I can reproduce the issue easily by unplug the display cable (not the power). I tested with HDMI, DVI and DisplayPort. Very ugly issue. Videos: https://bit.ly/2VA4oaT + https://bit.ly/2CRui2t
This ubuntu package version does not include a fix for this. They have 1.20.1 the fix is in 1.20.2, file a bug there so the package the newer version.
I will upload mate-screensaver 1.20.2 to Debian the coming week, so the fix will appear in Ubuntu 19.04.
Is this whole issue worth a CVE? It sounds like it. If so, please let me know and I will report it to CVE Mitre.
CVEs are more likely to be fixed in Ubuntu LTS than normal bugs.
Mike
…--
Sent from my Sailfish device
|
|
@sunweaver please do report a CVE. |
|
Master seems to be in a good state now: power cycling a vga connected primary monitor does nothing, unplugging and replugging an inactive HDMI secondary monitor just brings up the passphrase entry screen., |
|
On So 06 Jan 2019 17:59:35 CET, Oz N Tiram wrote:
@sunweaver please do report a CVE.
Submitted. Waiting for CVE Mitre feedback.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
|
|
This is CVE-2018-20681 |
|
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20681.html "needs-triage". I don't think it will be fixed in Ubuntu 18.04 LTS. |
|
Confirming that this is still broken in Ubuntu 18.04 LTS. I found out about this issue when I got a LG monitor that triggers this bug on DPMS standby. I'm currently using http://ppa.launchpad.net/spvkgn/mate-bionic/ubuntu as a workaround (https://launchpad.net/~spvkgn/+archive/ubuntu/mate-bionic). |
Expected behaviour
Lock Screen
Turn off monitor (either by power management putting it to sleep, or by pressing power button)
Turn monitor on
Start typing
Expect to see lock screen on monitor
Actual behaviour
Lock Screen
Turn off monitor
Turn monitor on
Start typing
Expect to see lock screen on monitor
Steps to reproduce the behaviour
Wait 60 seconds
Lock screen (I used Window manager shortcut)
Wait 60 seconds
Power off monitor (soft off)
Wait 60 seconds
Power on monitor
Wait 9 seconds (that's how long it takes monitor to boot)
Can see and use screen/type/etc; it is (effectively) unlocked.
Notes/logs:
mate-screensaver-command -qreports:killall mate-screensaver:Screensaver is not running!The screensaver is inactiveThe screensaver is not inhibitedThe screensaver is activeThe screensaver is not inhibitedSame as above, annotated with logs: (attached for ease of reading)
mate-screensaver --no-daemon --debugmate-screensaver-1.txt
Wait 60 seconds
Lock screen (I used Window manager shortcut)
mate-screensaver-2.txt
Wait 60 seconds
Power off monitor (soft off)
mate-screensaver-3.txt
dmesg-3.txt
Wait 60 seconds
Power on monitor
mate-screensaver-4.txt
dmesg-4.txt
Wait 9 seconds (that's how long it takes monitor to boot)
Can see and use screen/type/etc; it is (effectively) unlocked.
dmesg-5.txt
(there is no dmesg-1.txt or dmesg-2.txt or mate-screensaver-5.txt (blank during that time))
Troubleshooting
This occurred on two machines.
Upgrading to Ubuntu 18.04 (which upgraded mate to 1.20.0) fixed the problem on home machine.Please let me know what other logs/steps may be useful.
MATE general version
1.20.0
Package version
mate-screensaver 1.20.0-1
See attached
mate-packages.txt
for full list of all mate-related package versions
Linux Distribution
Ubuntu 18.04
Downstream bug link
https://bugs.launchpad.net/ubuntu/+source/mate-screensaver/+bug/1768352
The text was updated successfully, but these errors were encountered: