Local authorization bypass by using suspend mode

Bug #1777415 reported by Yuriy Bosov
316
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Unity
New
Undecided
Unassigned
pam (Ubuntu)
Undecided
Unassigned
unity (Ubuntu)
Undecided
Unassigned

Bug Description

Version: Ubuntu 16.04.04 LTS Desktop, all packets are updated at 15.06.2018
Affects: access to latest user opened applications, that can contain sensitive information (documents, private information, passwords, etc.)
How to reproduce:
1. open some applications (LibreOffice, browsers, editors, ...)
2. go to suspend mode
3. extract hard drive
4. wake up
5. after that can be several behaviors:
 * Ubuntu show lock screen. Enter ANY password -> access granted.
 * Ubuntu show lock screen. Enter ANY password, access denied. Fast press the hardware shutdown button -> access granted.
 * Ubuntu does not show lock screen, only black screen. We can repeat actions like in previous paragraphs

Revision history for this message
Yuriy Bosov (ybosov) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

In other words, you removed the hard disk while the system is suspended?

Can I make this bug public?

Revision history for this message
Yuriy Bosov (ybosov) wrote :

>> In other words, you removed the hard disk while the system is suspended?
Yes.
After that I wake up system, and I can get access to the last opened apps. It works stable in Unity.

>> Can I make this bug public?
I think this is bad idea, because it is security issue.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We're unlikely to fix this, since having physical access means an attacker could simply access the hard disk directly or replace the password on it and unlock the computer.

Revision history for this message
Yuriy Bosov (ybosov) wrote :

You can see in video that attacker can get access to sensitive data, such as opened KeePass with passwords, or documents in memory.

Revision history for this message
Yuriy Bosov (ybosov) wrote :

Can I publish my research?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yes, you can.

affects: unity-2d → unity
affects: ubuntu → unity (Ubuntu)
Yuriy Bosov (ybosov)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
Revision history for this message
George Shuklin (george-shuklin) wrote :

If this bug is result of errors on filesystem, it can manifest itself due to hardware failure. If system grants access to user data because of a minor filesystem malfunction, it's a problem.

I believe that screensaver should handle exceptions in the underlying libraries in such a way to prevent unauthorized access even if underlying library is faulty.

Revision history for this message
Paul Hill (zikalify) wrote :

Is this just affecting Ubuntu 16.04.4 or all Linux distros and all Ubuntu versions?

Revision history for this message
Jonathan Polak (jpolak) wrote :

I confirm it affects Mate 18.04 as well.

Moreover, a new bug on mate 18.04, plugging in an HDMI screen upon receiving the lockscreen, sometimes allows you to bypass it completely.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Jonathan, please file a new bug against xfce's screenlocking package with instructions for reproducing, hopefully someone will know how to address it.

Paul, this issue is likely to affect far more than just Ubuntu, programmers are in general not expecting IO errors at every syscall interface.

Thanks

Revision history for this message
Compinfer (nvkinf) wrote :

The system must not give an access to the system with wrong passwords, in any case! Dear Ubuntu developers, please pay attention. Don't ignore the issue.

Revision history for this message
Yuriy Bosov (ybosov) wrote :

This bug has been tested on:
* Ubuntu 14.04
* Ubuntu 16.04
* Ubuntu 16.10
* Ubuntu 17.04
All of them are affected.

Revision history for this message
Markus Laire (malaire) wrote :

"... having physical access means an attacker could simply access the hard disk directly or replace the password on it ..."

Does this bug work when using full disk encryption? If yes, then ABOVE QUOTE IS WRONG since having physical access does NOT mean having access to hard disk contents if hard disk is encrypted.

If this bug allows access to contents of encrypted hard disk, then this is very serious bug indeed.

Revision history for this message
ras (ras82x) wrote :

Markus Laire,
Yes, the bug is exploitable even with full disk encryption. Among other things, if there's an open instant messaging app, an attacker can send a message which would appear as if it was sent by the authenticated user.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam (Ubuntu):
status: New → Confirmed
tags: added: xenial
Revision history for this message
Jarno Suni (jarnos) wrote :

Seth, what do you mean by Xfce's screenslocking package? Ubuntu Mate 18.04 does not contain light-locker package by default: http://cdimage.ubuntu.com/ubuntu-mate/releases/18.04/release/ubuntu-mate-18.04-desktop-amd64.manifest

What is the screenlocking package for Mate?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Jarno, sorry, that was a typo on my part. It looks like mate's screenlocker is mate-screensaver.

Thanks

Revision history for this message
Jarno Suni (jarnos) wrote :

Is this bug affecting gnome-screensaver and mate-screensaver only? light-locker is fork of gnome-screensaver, too, but I could not reproduce the bug in Xubuntu using light-locker.

Revision history for this message
Nicolas Göddel (ngoeddel) wrote :

> Jonathan Polak (jpolak) wrote on 2018-07-09:
> I confirm it affects Mate 18.04 as well.
>
> Moreover, a new bug on mate 18.04, plugging in an HDMI screen upon receiving the lockscreen,
> sometimes allows you to bypass it completely.

I know this bug since years. When setting my Thinkpad on the Dockingstation while it was sleeping it sometimes happens that the gnome-shell just starts without asking for a password. And I don't even have to extract the harddisk. I remember some guys of the ubuntu community told me years ago that's a known issue with Xorg and gnome-shell. I did not file a bug or was looking for a known bug because it happened very seldom but the bug persisted many years and I don't know if it was fixed until now for sure.

Revision history for this message
Steve Langasek (vorlon) wrote :

Which files, when missing, cause this to happen? Can you provide strace output of the failing process?

This seems unlikely to be due to PAM, which has fairly well exercised error handling and is designed to fail closed; but it's possible there is a bug in the configuration of PAM for one or more services.

Changed in pam (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments