Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Ubuntu 14.04 lockscreen bypass - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ubuntu 14.04 lockscreen bypass

ISC Handler Rob let us know that @hdmoore Tweeted out: "Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): "

The reporter indicates that he was running Ubuntu 14.04 with all the packages updated.
When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen crashes. After that the computer is fully unlocked.

The initial report states that the "bug is about the lockscreen being bypassed when Unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750."

To reproduce:
1) Open the lockscreen (Super+L)
2) Hold Enter down
.... wait .....
*Crash*
Expected:
*No crash*
Stacktrace:
http://paste.ubuntu.com/7263684/

From the bug tracker, the fix has been committed and released. Be cognitive of this issue should you leave an Ubuntu 14.04 host unattended. :-)

Russ McRee | @holisticinfosec

Russ McRee

163 Posts
ISC Handler
Odd... Unless "some" seconds is defined as triple digits or more, I get "Invalid password, please try again" displayed. No crash, no strace, just the message.
Ken

40 Posts Posts
Bad design. The lockscreen process ought to be monitored in the background by something that will force logout; if the lockscreen or monitor process is killed, crashes, or exits in an unexpected manner.
Mysid

146 Posts Posts
"From the bug tracker, the fix has been committed and released. Be cognitive of this issue should you leave an Ubuntu 14.04 host unattended. :-)"

Shouldn't the recommendation be patch? It's easy enough
amilroy

9 Posts Posts
I was not able to recreate this problem on my computer running Ubuntu 14.04. According to the bug tracker link quoted in this diary post this bug was fixed on 4/17/2014 "in a heroic effort over night *before* final release, the fix is on the 14.04 image that was released to end users."
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!