Local authorization bypass by using suspend mode

Bug #1777415 reported by Yuriy Bosov on 2018-06-18
292
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Unity
New
Undecided
Unassigned
pam (Ubuntu)
Undecided
Unassigned
unity (Ubuntu)
Undecided
Unassigned

Bug Description

Version: Ubuntu 16.04.04 LTS Desktop, all packets are updated at 15.06.2018
Affects: access to latest user opened applications, that can contain sensitive information (documents, private information, passwords, etc.)
How to reproduce:
1. open some applications (LibreOffice, browsers, editors, ...)
2. go to suspend mode
3. extract hard drive
4. wake up
5. after that can be several behaviors:
 * Ubuntu show lock screen. Enter ANY password -> access granted.
 * Ubuntu show lock screen. Enter ANY password, access denied. Fast press the hardware shutdown button -> access granted.
 * Ubuntu does not show lock screen, only black screen. We can repeat actions like in previous paragraphs

Yuriy Bosov (ybosov) wrote :
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

In other words, you removed the hard disk while the system is suspended?

Can I make this bug public?

Yuriy Bosov (ybosov) wrote :

>> In other words, you removed the hard disk while the system is suspended?
Yes.
After that I wake up system, and I can get access to the last opened apps. It works stable in Unity.

>> Can I make this bug public?
I think this is bad idea, because it is security issue.

Marc Deslauriers (mdeslaur) wrote :

We're unlikely to fix this, since having physical access means an attacker could simply access the hard disk directly or replace the password on it and unlock the computer.

Yuriy Bosov (ybosov) wrote :

You can see in video that attacker can get access to sensitive data, such as opened KeePass with passwords, or documents in memory.

Yuriy Bosov (ybosov) wrote :

Can I publish my research?

Marc Deslauriers (mdeslaur) wrote :

Yes, you can.

affects: unity-2d → unity
affects: ubuntu → unity (Ubuntu)
Yuriy Bosov (ybosov) on 2018-07-09
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
George Shuklin (george-shuklin) wrote :

If this bug is result of errors on filesystem, it can manifest itself due to hardware failure. If system grants access to user data because of a minor filesystem malfunction, it's a problem.

I believe that screensaver should handle exceptions in the underlying libraries in such a way to prevent unauthorized access even if underlying library is faulty.

Paul Hill (zikalify) wrote :

Is this just affecting Ubuntu 16.04.4 or all Linux distros and all Ubuntu versions?

Jonathan Polak (jpolak) wrote :

I confirm it affects Mate 18.04 as well.

Moreover, a new bug on mate 18.04, plugging in an HDMI screen upon receiving the lockscreen, sometimes allows you to bypass it completely.

Seth Arnold (seth-arnold) wrote :

Jonathan, please file a new bug against xfce's screenlocking package with instructions for reproducing, hopefully someone will know how to address it.

Paul, this issue is likely to affect far more than just Ubuntu, programmers are in general not expecting IO errors at every syscall interface.

Thanks

Compinfer (nvkinf) wrote :

The system must not give an access to the system with wrong passwords, in any case! Dear Ubuntu developers, please pay attention. Don't ignore the issue.

Yuriy Bosov (ybosov) wrote :

This bug has been tested on:
* Ubuntu 14.04
* Ubuntu 16.04
* Ubuntu 16.10
* Ubuntu 17.04
All of them are affected.

Markus Laire (malaire) wrote :

"... having physical access means an attacker could simply access the hard disk directly or replace the password on it ..."

Does this bug work when using full disk encryption? If yes, then ABOVE QUOTE IS WRONG since having physical access does NOT mean having access to hard disk contents if hard disk is encrypted.

If this bug allows access to contents of encrypted hard disk, then this is very serious bug indeed.

ras (ras82x) wrote :

Markus Laire,
Yes, the bug is exploitable even with full disk encryption. Among other things, if there's an open instant messaging app, an attacker can send a message which would appear as if it was sent by the authenticated user.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam (Ubuntu):
status: New → Confirmed
tags: added: xenial
Jarno Suni (jarnos) wrote :

Seth, what do you mean by Xfce's screenslocking package? Ubuntu Mate 18.04 does not contain light-locker package by default: http://cdimage.ubuntu.com/ubuntu-mate/releases/18.04/release/ubuntu-mate-18.04-desktop-amd64.manifest

What is the screenlocking package for Mate?

Seth Arnold (seth-arnold) wrote :

Jarno, sorry, that was a typo on my part. It looks like mate's screenlocker is mate-screensaver.

Thanks

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments