Ubuntu
mate-settings-daemon package

Logon screen can be bypassed using various shortcuts

Bug #1948339 reported by Bastian Kanbach
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
arctica-greeter (Ubuntu)
Fix Released
Critical
Martin Wimpress 
lightdm (Ubuntu)
Invalid
Undecided
Unassigned
marco (Ubuntu)
Fix Released
Critical
Martin Wimpress 
mate-settings-daemon (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Hi,

my little daughter discovered a logon screen bypass in Ubuntu Mate 21.10 after hitting the keyboard for a while.

It turns out that several keyboard shortcuts are allowed while Ubuntu Mate is locked (arctica-greeter):

- Mod4 + S (mate-search-tool)
- Mod4 + E (Open Caja / File Explorer)
- CTRL + Shift + Esc (mate-system-monitor)
- PRNT (Screenshot)

All of the mentioned shortcuts could be used to spawn a file explorer (Caja) or various other binaries as user "lightdm", who owns the logon screen.

Although an interactive terminal like mate-terminal, xterm, lxterm etc. could not be opened directly, there are various options to run commands as the lightdm user, for example by creating a shell script using "caja", and execute it directly using the GUI.

I've attached Proof-of-Concept GIFs for all shortcuts mentioned above. There might be additional shortcuts that could be used to achieve the same, however I'm not aware about every shortcut that is configured, but I suppose that the root cause is located somewhere in arctica-greeter, rather than within every single binary launched by shortcuts.

The bug was reproduced on a fresh installation of Ubuntu Mate 21.10. I haven't tested other versions of Ubuntu Mate yet.

Please find additional version details below:

$ apt-cache policy lightdm

lightdm:
  Installed: 1.30.0-0ubuntu4
  Candidate: 1.30.0-0ubuntu4
  Version table:
 *** 1.30.0-0ubuntu4 500
        500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy arctica-greeter

arctica-greeter:
  Installed: 0.99.1.5-2nmu1
  Candidate: 0.99.1.5-2nmu1
  Version table:
 *** 0.99.1.5-2nmu1 500
        500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
        100 /var/lib/dpkg/status

Thanks,
Basti

See original description
Tags: jammy impish
Revision history for this message
Bastian Kanbach (bkanbach) wrote :
Bastian Kanbach (bkanbach)
summary: - Lock screen can be bypassed using various shortcuts
+ Logon screen can be bypassed using various shortcuts
description: updated
Norbert (nrbrtx)
tags: added: impish
Bastian Kanbach (bkanbach)
tags: added: hirsute
Bastian Kanbach (bkanbach)
tags: added: groovy
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Your daughter does good work :)

Thanks

information type: Private Security → Public Security
Revision history for this message
Norbert (nrbrtx) wrote :

Upstream is now informed via https://github.com/ArcticaProject/arctica-greeter/issues/28 . I cited this bug there.
Bastian Kanbach (bkanbach), you are welcome to add more comments there.

Revision history for this message
Norbert (nrbrtx) wrote :

Lightdm - https://github.com/canonical/lightdm/issues/214 .

Revision history for this message
Bastian Kanbach (bkanbach) wrote :

Thanks :)

I haven't registered a CVE yet and I'm waiting for final confirmation which components are causing the described issue. Happy to contribute to the ArcticaProject issue tracker directly.

As you also mentioned I can confirm that the affected arctica-greeter version is present in the following versions of Ubuntu Mate:

Ubuntu Mate 20.10 - Groovy Gorilla
Ubuntu Mate 21.04 - Hirsute Hippo
Ubuntu Mate 21.10 - Impish Indri

It doesn't seem to work for 20.04 - Focal Fossa.

Norbert (nrbrtx)
tags: added: jammy
removed: groovy
Revision history for this message
Bastian Kanbach (bkanbach) wrote :

Hi all,

narrowed it down and found out that arctica-greeter is invoking "marco" to make handling of windows opened by some of the indicators easier.

However marco listens for any keybindings and that's the reason why keybindings are working on the logon screen.

The affected code path was introduced with arctica-greeter 0.99.1.1 (Feb 6, 2019) and is located in https://github.com/ArcticaProject/arctica-greeter/blob/master/src/arctica-greeter.vala.

I've also added a comment to the issue within the arctica-greeter repo. Should be a straight forward fix.

Cheers,
Basti

Revision history for this message
Chris Guiver (guiverc) wrote :

hirsute (21.04) is EOL, but Thank you for your research @Bastian

tags: removed: hirsute
Revision history for this message
Bastian Kanbach (bkanbach) wrote :

Exactly, so at the moment only the following are affected:

- impish
- jammy

I've added a few comments to the arctica-greeter repo and issued a pull request that basically reverts the commit that introduced the weakness.

However this still needs to be reviewed by the maintainers

Revision history for this message
Martin Wimpress  (flexiondotorg) wrote :

Sorry for the late reply on this issue. I only saw it a few days ago. I've spoken with the Arctica greeter developer and we've been working on a fix.

The issue is this, Arctica Greeter requires a window manager and it invokes Marco, the window manager from MATE Desktop. Marco handles keybindings and by default has a number predefined. Ubuntu MATE adds a few more. This is why you are able to invoke applications bound to keybindings in Marco from Arctica Greeter.

The proposed solution is to add a patch to Marco so that it can be invoked with keybindings disabled and then patch Arctica Greeter to invoke Marco with the argument to disable its keybindings.

I will start preparing patched versions of Marco and Artica Greeter in a PPA for testing/validation.

Changed in arctica-greeter (Ubuntu):
status: New → Triaged
Changed in lightdm (Ubuntu):
status: New → Invalid
Changed in mate-settings-daemon (Ubuntu):
status: New → Invalid
Changed in marco (Ubuntu):
status: New → Triaged
Changed in arctica-greeter (Ubuntu):
importance: Undecided → Critical
assignee: nobody → Martin Wimpress  (flexiondotorg)
Changed in marco (Ubuntu):
importance: Undecided → Critical
assignee: nobody → Martin Wimpress  (flexiondotorg)
no longer affects: ubuntu-mate
Martin Wimpress  (flexiondotorg)
Changed in marco (Ubuntu):
status: Triaged → In Progress
Martin Wimpress  (flexiondotorg)
Changed in arctica-greeter (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Bastian Kanbach (bkanbach) wrote :

That sounds great, thank you very much. I guess it's an optimal way to keep the marco look-and-feel and have it invoked securely at the same time.

Could there be a scenario where arctica-greeter is upgraded on a system but marco is not? (e.g. arctica-greeter invoking "marco --no-keybindings" when a version of marco is installed that doesn't support this switch yet). I guess this would be a very rare edge case anyway.

Is the Ubuntu CNA handling the CVE assignment for this issue automatically, or do I have to request a CVE-id?

Martin Wimpress  (flexiondotorg)
Changed in arctica-greeter (Ubuntu):
status: In Progress → Fix Committed
Changed in marco (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Martin Wimpress  (flexiondotorg) wrote :

@bkanbach I can version marco Recommends ensuring both packages update in lockstep. I have spoken to the Ubuntu Security team and they will handle the CVE assignment.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package arctica-greeter - 0.99.1.5-2nmu3

---------------
arctica-greeter (0.99.1.5-2nmu3) jammy; urgency=medium

  * debian/patches:
    + Add 2002_shutdown-dialog-font.patch. (LP: #1916770)
  * debian/control:
    + Version Recommends: marco (>= 1.26.0-3~) (LP: #1948339)

 -- Martin Wimpress <email address hidden> Tue, 12 Apr 2022 13:24:46 +0100

Changed in arctica-greeter (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package marco - 1.26.0-3ubuntu1

---------------
marco (1.26.0-3ubuntu1) jammy; urgency=medium

  * debian/patches:
    + Add 1000_add-no-keybindings.patch (LP: #1948339)

 -- Martin Wimpress <email address hidden> Tue, 12 Apr 2022 10:28:18 +0100

Changed in marco (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Bastian Kanbach (bkanbach) wrote (last edit ):

Hi all,

thanks a lot, I upgraded to MATE 22.04 and could confirm that marco is no longer recognising its keybindings.

---

However I discovered a second issue some minutes ago:

I installed MATE 22.04 on another system with some special keys on the keyboard and one of the keys (Fn + F9) on the connected keyboard is launching "mate-search-tool". I did some further research and noticed that this time different component is affected: mate-settings-daemon.

When I terminated mate-settings-daemon via SSH connection, the keybinding was no longer accepted.

20.04.3 does not seem to be affected, as slick-greeter is not relying on mate-settings-daemon. So it's probably 20.10 up to 22.04.

I will add a comment to the existing issue within the arctica-greeter project.

Not sure what the best fix is - either something similar like "marco --no-keybindings", or by not invoking mate-settings-daemon at all, although I guess this could break some ayatana-indicators features.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.