Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Dec 2019 17:46:38 +0000
From: Leonid Isaev <leonid.isaev@...x.com>
To: oss-security@...ts.openwall.com
Subject: Re: virtual consoles

On Mon, Dec 02, 2019 at 08:56:38AM -0800, Tavis Ormandy wrote:
> $ dbus-send --system --print-reply --dest=org.freedesktop.login1 /org/freedesktop/login1/seat/seat0 org.freedesktop.login1.Seat.SwitchTo uint32:2
> 
> (note: object paths may vary by distro, change the 2 to a different
> number if you're already on VT2, or seat0 if you're on a different seat)
> 
> The obvious attack is to switch to a fake screensaver, then switch back
> after authentication, or make a fake gdm login.
> 
> I'm sure this has been documented a million times, and most of us will
> be familiar with the "Secure Attention Key" idea, but this is slightly
> different from that attack as it's possible for an entirely remote user
> (active, physically local users usually have additional privileges, as
> it's assumed they can tamper with hardware anyway, etc).
> 
> Should this have some policykit action requirement, or require physical
> presence? I don't know the answer.

Pls no policykit... This "attack" works only because there is systemd, so that
is where such calls should be blocked, IMHO.

It turns out, that if as an unprivileged user I do "pkill -9 systemd" (this
line is infact in my .bash_profile) to eliminate all systemd --user processes,
this still works, i.e. I am able to send messages to the system bus.

Thanks,
L.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.