Ubuntu
unity8 package

Clipboard contents accessible outside user session potentially giving the attacker root access

Bug #1650818 reported by Kristijan Žic 
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unity8 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Device: mako
Channel: rc-proposed

Clipboard contents from the last session is accessible outside user session potentially giving the attacker root access when having physical access if the user had his password in it. That way it can also give the attacker access to user's other account passwords and other more or less relevant information that can be on the clipboard at that time.

Context menu with working "Select All" and "Paste" menu items can be invoked on login screen's "Passphrase" and "Passcode" fields.

Context menu with working "Select All" and "Paste" menu items can be invoked on "Emergency Calls" number field.

If the user locks the device without manually clearing the clipboard, contents of his session's clipboard can be accessed outside of his session by simply executing a "Paste" action on the above mentioned fields.

Potential attacker could then get the root access if the user had his root passphrase/passcode stored in the clipboard or just view the clipboard's contents by executing paste in the "Emergency Call".

This issue is especially impacting the users who use password managers or store their passwords in a file.

Videos demonstrating the vulnerability in action (too big for the attachment, sry):

https://youtu.be/fExDXYe3EJs

https://youtu.be/1W8lQWUPwBE

STEPS TO REPRODUCE:

1] Login into the user session on your device.
2] Focus any textfield.
3] Write your Passcode/Passphrase, select it and copy it.
4] From the System indicator panel click on "Lock" to lock your device or simply use the lock button.
5] Go to the "Emergency Call" and invoke the context menu onto the input field.
6] Click the "Paste" menu item to view your "Passcode".
7] Go to the login screen an invoke the context menu onto the input field.
8] Click the "Paste" menu item to login into your account without ever writing your password.
9] Go to terminal and paste your password into the modal window's input field and click "OK"
10] When in terminal, type "sudo -s" and click Enter.
11] When prompted, paste the clipboard contents into terminal and click enter to get the root access to the device.

See original description
Kristijan Žic  (kristijan-zic)
description: updated
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in unity8 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.