Local authorization bypass by using suspend mode

Thanks for reporting this issue.

In other words, you removed the hard disk while the system is suspended?

Can I make this bug public?

>> In other words, you removed the hard disk while the system is suspended?
Yes.
After that I wake up system, and I can get access to the last opened apps. It works stable in Unity.

>> Can I make this bug public?
I think this is bad idea, because it is security issue.

We're unlikely to fix this, since having physical access means an attacker could simply access the hard disk directly or replace the password on it and unlock the computer.

You can see in video that attacker can get access to sensitive data, such as opened KeePass with passwords, or documents in memory.

Can I publish my research?

Yes, you can.

Status changed to 'Confirmed' because the bug affects multiple users.

If this bug is result of errors on filesystem, it can manifest itself due to hardware failure. If system grants access to user data because of a minor filesystem malfunction, it's a problem.

I believe that screensaver should handle exceptions in the underlying libraries in such a way to prevent unauthorized access even if underlying library is faulty.

Is this just affecting Ubuntu 16.04.4 or all Linux distros and all Ubuntu versions?

I confirm it affects Mate 18.04 as well.

Moreover, a new bug on mate 18.04, plugging in an HDMI screen upon receiving the lockscreen, sometimes allows you to bypass it completely.

Jonathan, please file a new bug against xfce's screenlocking package with instructions for reproducing, hopefully someone will know how to address it.

Paul, this issue is likely to affect far more than just Ubuntu, programmers are in general not expecting IO errors at every syscall interface.

Thanks

The system must not give an access to the system with wrong passwords, in any case! Dear Ubuntu developers, please pay attention. Don't ignore the issue.

This bug has been tested on:
* Ubuntu 14.04
* Ubuntu 16.04
* Ubuntu 16.10
* Ubuntu 17.04
All of them are affected.

"... having physical access means an attacker could simply access the hard disk directly or replace the password on it ..."

Does this bug work when using full disk encryption? If yes, then ABOVE QUOTE IS WRONG since having physical access does NOT mean having access to hard disk contents if hard disk is encrypted.

If this bug allows access to contents of encrypted hard disk, then this is very serious bug indeed.

Markus Laire,
Yes, the bug is exploitable even with full disk encryption. Among other things, if there's an open instant messaging app, an attacker can send a message which would appear as if it was sent by the authenticated user.

Status changed to 'Confirmed' because the bug affects multiple users.

Seth, what do you mean by Xfce's screenslocking package? Ubuntu Mate 18.04 does not contain light-locker package by default: http://cdimage.ubuntu.com/ubuntu-mate/releases/18.04/release/ubuntu-mate-18.04-desktop-amd64.manifest

What is the screenlocking package for Mate?

Jarno, sorry, that was a typo on my part. It looks like mate's screenlocker is mate-screensaver.

Thanks

Is this bug affecting gnome-screensaver and mate-screensaver only? light-locker is fork of gnome-screensaver, too, but I could not reproduce the bug in Xubuntu using light-locker.

> Jonathan Polak (jpolak) wrote on 2018-07-09:
> I confirm it affects Mate 18.04 as well.
>
> Moreover, a new bug on mate 18.04, plugging in an HDMI screen upon receiving the lockscreen,
> sometimes allows you to bypass it completely.

I know this bug since years. When setting my Thinkpad on the Dockingstation while it was sleeping it sometimes happens that the gnome-shell just starts without asking for a password. And I don't even have to extract the harddisk. I remember some guys of the ubuntu community told me years ago that's a known issue with Xorg and gnome-shell. I did not file a bug or was looking for a known bug because it happened very seldom but the bug persisted many years and I don't know if it was fixed until now for sure.

Which files, when missing, cause this to happen? Can you provide strace output of the failing process?

This seems unlikely to be due to PAM, which has fairly well exercised error handling and is designed to fail closed; but it's possible there is a bug in the configuration of PAM for one or more services.