Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20080525170008.GA11957@pcpool00.mathematik.uni-freiburg.de>
Date: Sun, 25 May 2008 19:00:08 +0200
From: "Bernhard R. Link" <brlink@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: xscreensaver

* Tomas Hoger <thoger@...hat.com> [080525 16:03]:
> Is there any known attack vector crossing trust boundary?  Usage of
> xrandr should be fully under the control of the user running
> xscreensaver.

Some vectors might be thinkable due to increasing automation:
Perhaps some desktop environments realize a external monitor vanishing
and rearrange the layout (which is quite nice to avoid programs being
in invisible parts of the layout).
If that is the case a local attacker might use this weakness gain access
to the account without getting noticed that easily as when opening the
case of the computer.

An already possible attack vector, though needing very unlikely
requirements: An user issued an ssh -X localhost to an more priviliged
account in an xterm and started an xscreenserver there, because he
suspects someone else might know the password and login with the
unprivileged account he is logged in. Then this sense of protection
would be false due to this problem. The unlikely part is that this
would only work if the computer was not running before since the
possible compromize of the password and only connected to the net
after entering the password into ssh. So also in that case it could
only widen a gap that is hardly totally closed anyway.

Hochachtungsvoll,
	Bernhard R. Link

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.