It appears as though there's a buffer overflow somewhere in the password handling of the screen saver password. I haven't done enough testing to know whether priviledge escalation is possible, but it might be.
At the best, this bug renders the screen-saver password feature useless. Any user can bypass the screen saver and gain access to the system with the rights of the currently logged-in user. Until Apple provides a patch for this, do not consider screen-saver passwords as offering any security whatsoever. The vuln is local only, as the attacker needs physical access to the keyboard to exploit it.
He's quite right about the "5 minutes" of "held down key" to trigger it ... I didn't bother to count or calculate how many characters this involves. I also noted that it doesn't work all the time. At least half of my tests appeared to lock the screensaver up, but not in such a manner that I could gain access to the machine. Most often it worked on the second or third try.
Delfim Machado wrote:
Hi all,
three days ago i discovered a security issue, with the last MacOSX.
there is a way to crash the screensaver locked with password and gain the desktop.
how? - you ask. i don't know the exact amount of characters, only that if you leave a key pressed for 5 minutes or more and then hit the enter key, you crash the screensaver and gain access to the desktop. you can mess the desktop and all around it (network, mail, docs, anything you can imagine).
i think that this is a huge secure hole and it must be corrected.
i hope that this is good for everyone who cares about "how to secure your desktop".
solution? wait until someone at the apple make a patch and realise it...
here is the mail that i've sent to apple security people, they didn't replied :(
-- BEGIN APPLE MESSAGE --
To: product-security@apple.com
Subject: [BUG] forgot your screensaver
password ?? Hackit anyway
Hi all
(tested machines at the bottom of this message)
sorry about the subject, but there is a problem with the auth prompt when you have the screensaver running.
i do not know the exact amount of characters to make the auth prompt blow up, but here is what i do:
with the screensaver runnig, leave something at the top of the keyboard and leave it there for 5 or more minutes, then hit ENTER. The screensaver dies and you have your desktop open to anyone.
desktop open, network open, hackers go away :)
i'll wait for an answer until 3 of Jully and then send this problem to full-disclosure@lists.netsys.com and bugtraq@securityfocus.com
if you need more time, please tell me that i'll wait until the patch be ready to deploy.
OS tested: didn't get a mac not updated ... (uname -a) (Powerbook) Darwin roadrunner 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc (iMac) Darwin MacLulo 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc (Powerbook) Darwin Proenca-Powerbook17 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc
PS: MacOSX r0x, keep on the good way!
-- END APPLE MESSAGE --
Cheers -- Delfim Machado - dbcm@xpto.org XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
-- Bill Moran Potential Technologies http://www.potentialtech.com
