| 2021-10-21 20:21:11 |
Bastian Kanbach |
bug |
|
|
added bug |
| 2021-10-21 20:21:11 |
Bastian Kanbach |
attachment added |
|
lock-screen-bypass-ubuntu-mate-2110.zip https://bugs.launchpad.net/bugs/1948339/+attachment/5534958/+files/lock-screen-bypass-ubuntu-mate-2110.zip |
|
| 2021-10-21 20:59:32 |
Bastian Kanbach |
summary |
Lock screen can be bypassed using various shortcuts |
Logon screen can be bypassed using various shortcuts |
|
| 2021-10-21 21:00:03 |
Bastian Kanbach |
description |
Hi,
my little daughter discovered a lock screen bypass in Ubuntu Mate 21.10 after hitting the keyboard for a while.
It turns out that several keyboard shortcuts are allowed while Ubuntu Mate is locked (arctica-greeter):
- Mod4 + S (mate-search-tool)
- Mod4 + E (Open Caja / File Explorer)
- CTRL + Shift + Esc (mate-system-monitor)
- PRNT (Screenshot)
All of the mentioned shortcuts could be used to spawn a file explorer (Caja) or various other binaries as user "lightdm", who owns the lock screen.
Although an interactive terminal like mate-terminal, xterm, lxterm etc. could not be opened directly, there are various options to run commands as the lightdm user, for example by creating a shell script using "caja", and execute it directly using the GUI.
I've attached Proof-of-Concept GIFs for all shortcuts mentioned above. There might be additional shortcuts that could be used to achieve the same, however I'm not aware about every shortcut that is configured, but I suppose that the root cause is located somewhere in arctica-greeter, rather than within every single binary launched by shortcuts.
The bug was reproduced on a fresh installation of Ubuntu Mate 21.10. I haven't tested other versions of Ubuntu Mate yet.
Please find additional version details below:
$ apt-cache policy lightdm
lightdm:
Installed: 1.30.0-0ubuntu4
Candidate: 1.30.0-0ubuntu4
Version table:
*** 1.30.0-0ubuntu4 500
500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
100 /var/lib/dpkg/status
$ apt-cache policy arctica-greeter
arctica-greeter:
Installed: 0.99.1.5-2nmu1
Candidate: 0.99.1.5-2nmu1
Version table:
*** 0.99.1.5-2nmu1 500
500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
100 /var/lib/dpkg/status
Thanks,
Basti |
Hi,
my little daughter discovered a logon screen bypass in Ubuntu Mate 21.10 after hitting the keyboard for a while.
It turns out that several keyboard shortcuts are allowed while Ubuntu Mate is locked (arctica-greeter):
- Mod4 + S (mate-search-tool)
- Mod4 + E (Open Caja / File Explorer)
- CTRL + Shift + Esc (mate-system-monitor)
- PRNT (Screenshot)
All of the mentioned shortcuts could be used to spawn a file explorer (Caja) or various other binaries as user "lightdm", who owns the logon screen.
Although an interactive terminal like mate-terminal, xterm, lxterm etc. could not be opened directly, there are various options to run commands as the lightdm user, for example by creating a shell script using "caja", and execute it directly using the GUI.
I've attached Proof-of-Concept GIFs for all shortcuts mentioned above. There might be additional shortcuts that could be used to achieve the same, however I'm not aware about every shortcut that is configured, but I suppose that the root cause is located somewhere in arctica-greeter, rather than within every single binary launched by shortcuts.
The bug was reproduced on a fresh installation of Ubuntu Mate 21.10. I haven't tested other versions of Ubuntu Mate yet.
Please find additional version details below:
$ apt-cache policy lightdm
lightdm:
Installed: 1.30.0-0ubuntu4
Candidate: 1.30.0-0ubuntu4
Version table:
*** 1.30.0-0ubuntu4 500
500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
100 /var/lib/dpkg/status
$ apt-cache policy arctica-greeter
arctica-greeter:
Installed: 0.99.1.5-2nmu1
Candidate: 0.99.1.5-2nmu1
Version table:
*** 0.99.1.5-2nmu1 500
500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
100 /var/lib/dpkg/status
Thanks,
Basti |
|
| 2021-10-21 21:02:34 |
Norbert |
bug task added |
|
arctica-greeter (Ubuntu) |
|
| 2021-10-21 21:02:43 |
Norbert |
bug task added |
|
lightdm (Ubuntu) |
|
| 2021-10-21 21:02:56 |
Norbert |
bug task added |
|
mate-settings-daemon (Ubuntu) |
|
| 2021-10-21 21:03:10 |
Norbert |
tags |
|
impish |
|
| 2021-10-21 22:02:04 |
Bastian Kanbach |
tags |
impish |
hirsute impish |
|
| 2021-10-21 22:29:44 |
Bastian Kanbach |
tags |
hirsute impish |
groovy hirsute impish |
|
| 2021-10-22 00:34:10 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
| 2021-10-22 00:34:12 |
Seth Arnold |
bug |
|
|
added subscriber Ubuntu Bugs |
| 2021-10-22 07:08:58 |
Norbert |
bug watch added |
|
https://github.com/ArcticaProject/arctica-greeter/issues/28 |
|
| 2021-10-22 07:11:44 |
Norbert |
bug watch added |
|
https://github.com/canonical/lightdm/issues/214 |
|
| 2021-10-24 08:59:05 |
Norbert |
tags |
groovy hirsute impish |
hirsute impish jammy |
|
| 2022-03-04 03:45:29 |
Chris Guiver |
bug |
|
|
added subscriber Chris Guiver |
| 2022-03-04 03:47:45 |
Chris Guiver |
tags |
hirsute impish jammy |
impish jammy |
|
| 2022-04-02 10:08:29 |
Martin Wimpress |
arctica-greeter (Ubuntu): status |
New |
Triaged |
|
| 2022-04-02 10:08:35 |
Martin Wimpress |
lightdm (Ubuntu): status |
New |
Invalid |
|
| 2022-04-02 10:08:41 |
Martin Wimpress |
mate-settings-daemon (Ubuntu): status |
New |
Invalid |
|
| 2022-04-02 10:08:51 |
Martin Wimpress |
bug task added |
|
marco (Ubuntu) |
|
| 2022-04-02 10:08:58 |
Martin Wimpress |
marco (Ubuntu): status |
New |
Triaged |
|
| 2022-04-02 10:09:10 |
Martin Wimpress |
arctica-greeter (Ubuntu): importance |
Undecided |
Critical |
|
| 2022-04-02 10:09:14 |
Martin Wimpress |
arctica-greeter (Ubuntu): assignee |
|
Martin Wimpress (flexiondotorg) |
|
| 2022-04-02 10:09:18 |
Martin Wimpress |
marco (Ubuntu): importance |
Undecided |
Critical |
|
| 2022-04-02 10:09:21 |
Martin Wimpress |
marco (Ubuntu): assignee |
|
Martin Wimpress (flexiondotorg) |
|
| 2022-04-02 10:09:37 |
Martin Wimpress |
bug task deleted |
ubuntu-mate |
|
|
| 2022-04-12 09:26:36 |
Martin Wimpress |
marco (Ubuntu): status |
Triaged |
In Progress |
|
| 2022-04-12 09:46:04 |
Martin Wimpress |
arctica-greeter (Ubuntu): status |
Triaged |
In Progress |
|
| 2022-04-12 10:46:24 |
Martin Wimpress |
arctica-greeter (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2022-04-12 10:46:28 |
Martin Wimpress |
marco (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2022-04-12 18:15:01 |
Launchpad Janitor |
arctica-greeter (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2022-04-12 18:46:49 |
Launchpad Janitor |
marco (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2022-04-15 18:00:30 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
