Ubuntu 14.04: security problem in the lock screen

Bug #1308572 reported by Marco Agnese
300
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Unity
Fix Released
Critical
Andrea Azzarone
unity (Ubuntu)
Fix Released
Critical
Andrea Azzarone

Bug Description

affects ubuntu

Hello,
I am running Ubuntu 14.04 with all the packages updated.
When the screen is locked with password, if I hold ENTER after some
seconds the screen freezes and the lock screen crashes. After that I
have the computer fully unlocked.

--
Marco Agnese

This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750

Tags: lockscreen

Related branches

Marco Agnese (magnese)
description: updated
information type: Public → Private Security
information type: Private Security → Public Security
affects: ubuntu → gnome-screensaver (Ubuntu)
Revision history for this message
Brian Murray (brian-murray) wrote :

I've recreated this and after holding the enter key for quite some time my screen was unlocked. I noticed the following in /var/log/syslog:

Apr 16 12:41:14 blacklightning gnome-session[2708]: WARNING: Application 'compiz.desktop' killed by signal 6
Apr 16 12:41:14 blacklightning gnome-session[2708]: WARNING: App 'compiz.desktop' respawning too quickly
Apr 16 12:41:14 blacklightning gnome-session[2708]: CRITICAL: We failed, but the fail whale is dead. Sorry....

Revision history for this message
Brian Murray (brian-murray) wrote :

/var/log/auth.log indicates quite some time is about 30 seconds so not that long.

Revision history for this message
Adam Conrad (adconrad) wrote :

14:13 < infinity> jdstrand: If you're hunting down people to poke about this, can you (strongly) suggest that this needs two fixes? First, obviously it shouldn't crash, but second, a restart-post-crash of unity should *always* start locked.
14:13 < infinity> jdstrand: Since there's no way to 100% be sure you know the previous state, one can only assume a rexec may need to be locked, and may becomes must because of the uncertainty.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This probably needs two fixes: fix the crasher and making sure a restart of unity after a crash is locked.

Iain Lane (laney)
affects: gnome-screensaver (Ubuntu) → unity (Ubuntu)
Changed in unity:
status: New → Triaged
Changed in unity (Ubuntu):
status: New → Triaged
Changed in unity:
importance: Undecided → Critical
Changed in unity (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Adam Conrad (adconrad) wrote :

To be clear, the "always restart locked" half of the fix is the more important bit. The crash is embarrassing, but crashes will happen, and we'll find others. Having it restart unlocked is bordering on unforgivable, and we should focus on fixing that first.

Changed in unity:
assignee: nobody → Brandon Schaefer (brandontschaefer)
Changed in unity (Ubuntu):
status: Triaged → In Progress
Changed in unity:
status: Triaged → In Progress
Changed in unity (Ubuntu):
assignee: nobody → Brandon Schaefer (brandontschaefer)
description: updated
Changed in unity:
assignee: Brandon Schaefer (brandontschaefer) → nobody
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in unity (Ubuntu):
assignee: Brandon Schaefer (brandontschaefer) → Marco Trevisan (Treviño) (3v1n0)
Andrea Azzarone (azzar1)
Changed in unity:
assignee: Marco Trevisan (Treviño) (3v1n0) → Andrea Azzarone (andyrock)
Changed in unity (Ubuntu):
assignee: Marco Trevisan (Treviño) (3v1n0) → Andrea Azzarone (andyrock)
Changed in unity:
milestone: none → 7.2.1
Revision history for this message
Robert Bruce Park (robru) wrote :

So both the linked branches built in silo 8, and when I tested it, this is what I found:

1. start unity

2. open terminal (Ctrl+alt+T)

3. type 'sleep 15 && killall -9 compiz'

4. lock screen

observe: screen locks, then unity crashes, then unity restarts locked. so far so good.

5. issue the same command in the terminal again

6. lock the screen again

observe: screen locks, then unity crashes... and doesn't come back.

I'm told this is not a regression (eg it's known that unity does not restart after the first crash) however this is significant because when unity does not restart, that terminal just stays open right there, and while it doesn't respond to keyboard input, it does respond to mouse input, so it's possible to issue commands as the logged-in user by copy & pasting (eg, select some text, right click -> copy, right click -> paste).

So if I'm an attacker and I'm in a position to trigger a crash in compiz, the whole "restarting locked" thing seems kind of weak, because all I have to do is crash compiz... twice. Granted the unity-free UI is quite limited, maybe there's a browser open and I can access the user's email, or whatever. it's still an attack vector.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity - 7.2.0+14.04.20140416-0ubuntu1

---------------
unity (7.2.0+14.04.20140416-0ubuntu1) trusty; urgency=low

  [ Andrea Azzarone ]
  * Do not allow to activate twice the same entry! (LP: #1308572)

  [ Marco Trevisan (Treviño) ]
  * UnityScreen: save a locked.stamp file when locking/unlocking, to
    relock on startup This makes unity to relocks if it was locked
    before crashing... (LP: #1308572)
 -- Ubuntu daily release <email address hidden> Wed, 16 Apr 2014 22:41:19 +0000

Changed in unity (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

robru: the fact that unity doesn't reload properly after some crashes it's related to to bug #1308800 (it seems upstart is not loading unity, so gnome-session is not reliable at all for this).

Andrea Azzarone (azzar1)
Changed in unity:
status: In Progress → Fix Committed
tags: added: lockscreen
Changed in unity:
status: Fix Committed → Fix Released
Revision history for this message
xtsbdu3reyrbrmroezob (xtsbdu3reyrbrmroezob) wrote :

This Lock Screen bug is just one of many unfixed security issues. Below is another long-standing issue that also allows one to bypass the lock screen...

https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/49579

Revision history for this message
Seth (bugs-sehe) wrote :

@kristian-erik-hermansen Cool find, but utterly irrelevant here. That bug is about users blindly trusting the screen to auto-lock (which they _should be able to_).

This bug is about the trust being broken even after they _verified_ that they had _explicitly_ locked their screens. That's (a) a very different issue (b) a very different severity of failure.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yes, bug 49579 won't get fixed until we move away from xorg into Mir...

Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote : Re: [Bug 1308572] [NEW] Ubuntu 14.04: security problem in the lock screen

>
>
> > Yes, bug 49579 won't get fixed until
> we move away from xorg into Mir...

Well I thought the same, but it seems we still might get that fixed even
before ;-)

--
Treviño's World - Life and Linux
http://www.3v1n0.net

Revision history for this message
Oliver Grawert (ogra) wrote :

Just a sidenote: Unlike what the sensationalist article at heise.de from today suggests (which links here), this bug was fixed in a heroc effort over night *before* final release, the fix is on the 14.04 image that was released to end users.

Revision history for this message
Peter Funk (pf-artcom-gmbh) wrote :

Just another sidenote: I'm unaffected by this bug, because I always use xscreensaver instead of those newer unsecure rewrites.
People concerned about security might want to read the
http://www.jwz.org/blog/2014/04/the-awful-thing-about-getting-it-right-the-first-time-is-that-nobody-realizes-how-hard-it-was/
blog post of Jamie Zawinski who has written xscreensaver.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.