Slashdot Mirror
Screensaver Bug in Mac OS X
dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."
using 10.2.6 - not saying it's not a real bug, just can't get it to crash my screen-saver.
*** For a better tommorow, change your life today ***
Does this mean when all the script kiddies have their defacing party OSX will be worth less than 5 points?
-=LaptopZZ=-
This is nothing to be upset about. Heck, windows users have had this feature since windows 95. 3-finger salute and end the screen saver task :)
:)
Security via screensavers should never be trusted. I'm not quite sure why its still being put in place. WindowsXP has a slightly better idea in that it will quick log you off if you ask it to... Of course gnome/kde stole that idea before MS was able to integrate it into XP/2k
Now, if this can be used as a buffer overflow attack as stated in the second link, that can be a problem. Not so much that a local user will overflow thier own system and gain local root, but the fact that this is the same throughout multiple cocoa apps shows the possibility of one of those being remotely exploitable.
Of course that's only for the 4 people running OSX as a server.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Well, to be fair Debian Linux suffers from the same problem. Trusted update is a more difficult problem than solving some buffer overrun in xlock or whatever.
It's no wonder why Apple didn't reply, look at the subject of the email sent to Apple: "forgot your screensaver password ?? Hackit anyway." Must have been Jeff K reporting the bug.
In other news, a similar bug has been an issue on the Mac OS X version of Folding@Home. The screen saver crashes when lock screen is activated, and it's been months since I first noticed it, and I've seen it mentioned on the Folding boards, and it still hasn't been fixed. I agree with some of the people on the Macslash forum: Don't rely on screen savers if you have truly sensitive data within in reach of scrupulous characters.
It's always found this mildly annoying but since I've never had that much to protect and the people around me really arent that smart anyway I haven't gone in search of the fix.
But in X at least on slackware when the screensaver is on I can Ctrl-Alt-F1 and Ctrl-X to kill X windows and get myself to prompt.
It sounds as if all you need to do I type in enough charaters in to the imput field fast enough, and bamm the screensaver or whatever app "crashes" and now you're as the desktop or in single user mode. I thought a true buffer overflow attack was something different than this.
||| I still can't believe Parkay's not butter.
I saw this "exploit" on full-dis, where it started a rather large thread, given how silly this bug actually is (a screensaver breaker...ooooh now I'm quaking in my boots). I thought it was excessive that -anyone- responded to his thread, and now it got posted on /. ? What gives?
;)
Probably going to get modded down for troll, but I had to vent. Excuse me.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
If I am not mistaken, this was on Slashdot a while back. Apple was quick to correct this.
The only problem(an ironic one) is that they updated the flaw through Software Update =)
tilTrue.info contechtext.info prettypowerful.info twitter.com/frets fb.com/prosody
...you can probably just boot using a CD or external hard drive, which results in a much worse security problem, since it'll give you access to Mac OS 9. You can use that to trash the Mac OS X system, since you can destroy all the normally hidden files and not worry about permissions.
A screensaver password vulnerability works just as well remotely as with physical access. The screensaver is just another X11 program which runs the same way whether local or remote.
While this in itself doesn't give *easy* access, it might very well open for a remote X spoof attack from a third party.
Regards,
--
*Art
That's quite an interesting statement. Do you have any evidence whatsoever that open source security bugs get fixed faster than closed source ones? Compare Linux with Solaris, if you want a level playing field.
Not a troll--I've heard this statement tossed out so many times as absolute fact, and yet I don't know if it's ever been tested.
As for Samba, you might have had good luck with a security patch, but we had a bug that caused a prouduction system to crater (12 CPUs and about 8GB of RAM) completely. It existed for TWO YEARS after being reported because no one on the Samba team felt like dealing with it. Sometimes you really do get what you pay for.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
On any computer using OSX, it is possible to change the root password with 6 easy steps:
/"
Reboot the computer
Hold down appl ctrl + S
Type "mount -uw
"su" (it dosen't ask for a password)
"/sbin/systemstarter"
"passwd"
Hmm? Smells like a formatting bug
Just FYI Panther seems immune to this exploit.
Tried doing the procedure ~10 minutes in the Screen Saver and nothing happened. Then tried again in few other cocoa apps. Still nothing. Just worked like normal(for once this is a good thing).
My only question is if Apple acknowledged this flaw in Jaguar and then fixed it in Panther, or if Apple just ended up fixing it quite accidentally.
And yes, I realize most people can't just upgrade to Panther yet to fix this rather major oversight on Apple's part.
Yea and I think that you should be able to use Exposé as a screensaver =)
tilTrue.info contechtext.info prettypowerful.info twitter.com/frets fb.com/prosody
Reminds me of that old local root exploit in SunOS where you could just hold down the enter key at the login: prompt and get root.
99,9% of Linux users never patches their OS manually (i.e. edit source code and recompile)
Because you run abc-2.2-9rh9.i386.rpm. A patch is available for abc-2.2-1, but it doesn't apply cleanly to abc-2.2-9rh9.src.rpm.
Now you have two choices: download abc-2.2-1 original tarball, apply patch and recompile(thus tainting your 'prestine' rpm and possibly screwing dependencies). Or be like me and just wait for redhat to release an updated package.
Now suppose you were adventurous and proceeded to download abc-2.2-1.tar.gz. Then it complains you don't have foo-devel headers. @#$ OK so you get foo-devel. Next thing you know the source tree is 100+ megs and compiling takes 5+ hours. If you're lucky and the package compiled, then "Welcome to the Next Level!" and pray you didn't break anything...
[Insert your source-code adventure here]
I tested the exploit by copying/pasting blocks of text, and although the screensaver server failed momentarily, it came right back up and I had to enter my password to get to the Desktop.
Seems to me this is not a universal hole (i.e. it might be something on certain people's machines).