Mailinglist Archive: opensuse-bugs (4664 mails)

< Previous Next >
[Bug 577193] New: Gnome screensaver does not lock screen until user/attacker action
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 4 Feb 2010 21:34:21 +0000
  • Message-id: <bug-577193-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>
http://bugzilla.novell.com/show_bug.cgi?id=577193

http://bugzilla.novell.com/show_bug.cgi?id=577193#c0


Summary: Gnome screensaver does not lock screen until
user/attacker action
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: x86-64
OS/Version: openSUSE 11.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: s.handgraaf@xxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7)
Gecko/20091222 SUSE/3.5.7-1.1.1 Firefox/3.5.7

The gnome screensaver does not always lock the screen after the specified
desktop idle period has passed. An attacker can misuse this to view the content
on the screen and/or perform malicious actions on behalf of the user loged on.

The following scenario is an example of such situation with the Firefox web
browser. It is suspected the gnome screensaver does not lock the screen in
other circumstances as well.

The user has set the idle timer for the gnome screensaver to -for example- 1
minute. Then the user starts firefox as provided with the distribution. The
user enters some characters (eg: suse) in the address field of the location
bar. This makes the browser show drop down fields with address susgestion. The
cursor is still blinking in the address field, the mouse is still on the
address field, when the user leaves the system unattended. After 1 minute the
screensaver does not lock the screen, an attacker physically visiting the
system can still view the content of the screen and even perform actions by use
of the keyboard - like scroll through the drop down fields disclosing visited
urls of the user. With some actions, like moving the mouse pointer, the gnome
screensaver is activated at will of the attacker.

On opensuse 11.2 final with latest updates this issue has been noticed and
reproduced.

Reproducible: Always

Steps to Reproduce:
1. configure gnnome screensaver to start after a specific period of idle time
2. start firefox with history of visited urls
3. click on address field and type characters that match any visited urls
4. when drop down box is displayed under address field, leave system idle with
mouse pointer still over address field
5. after idle period the screensaver does not lock the screen
6. after some action (for instance mouse pointer movement) the screensaver does
lock the screen
Actual Results:
1) Screen remains unlocked even if the user does not avtively provide any input
to the system by an input device.
2) Screen remains unlocked even if the user performs actions after the
screensaver should have locked the screen.

Expected Results:
The gnome screensaver should be forced to lock the screen if no input was
provided tot the system by the user after a predefined period of time.

Question is why gnome screensaver 'prefers' to ignore lack of active user input
over apparant input/non-idle notice from an application such as firefox.

From a security perspective I consider this a major issue since any application
can apperantly force the gnome screensaver not to lock the screen without
reconfiguration of the screensaver, allowing information disclosure and even
actions. However, since the attacker must have physical access or already have
control over the system I set the severity to normal.

If this is considered normal behaviour I would expect a clear warning at the
configuration of the screensaver about what is considered as idle.

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >