Bugtraq mailing list archives
Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)
From: mns <mns () mnslab com>
Date: Thu, 31 Jul 2003 13:04:10 -0400
On Wednesday, July 30, 2003, at 04:56 PM, Patrick Haruksteiner wrote:
On Wednesday, July 30, 2003, at 10:07 h, Doug White wrote:On Tue, 29 Jul 2003, Patrick Haruksteiner wrote:I discoverd another security issue with the Mac OS X screensaver. If you have installed escapepod from Ambrosia Software and hit crtl-alt-delete(==backspace) when the screensaver with password protection is running, it kills the screensaver and the desktop is open to anybody - so it has the same effect as the recently emerged password-exploit.This is not a bug in Apple software. This is a third party extension.Ambrosia's Escape Pod is a utility that kills the frontmost app when theshortcut keystroke is typed. Naturally it does not ship with MacOS X. Since the screen saver is just another application (called ScreenSaverEngine), if you hit the kill key when its running, it gets killed. Fancy that!I know that! But it should be the concern of the OS that you cannot circumvent its security system with the help of other applications!
I agree with Doug White in the assessment that this is, in fact, an issue that is the responsibility of Ambrosia, if it is to be considered a security issue at all. Apple cannot be held responsible for the code of third party
developers.I downplay the definition of this as a security issue at all because there are so many immediate workarounds. One is not running or installing Escape Pod in the first place. Another is simply logging out when you leave your workstation,
rather than relying on ScreenSaverEngine for your security. Bottom line,there are more direct and more threatening exploits that are available to
people who happen upon an OS X machine unattended. Allow me to describe a couple of them:1) If a user finds a machine unattended, whether running ScreenSaverEngine or not, and regardless of the presence of Escape Pod on said machine, the machine can be booted from an OS X installation CDROM, at which point the "Reset Password" option can be used to change root access to the machine, which allows the user to log in as root, then change the password for any account, including whatever account was initially running ScreenSaverEngine. Data can
then be removed or overwritten at said user's discretion.2) If an unattended machine is discovered, it can also be powered down, and carried off, physically, without regard to the presence of ScreenSaverEngine
or Escape Pod.Do these constitute security threats or exploits that are Apple's responsibility to protect against? Of course not. Both are common sense examples of how many security measures can be circumvented using simple, direct techniques. Neither implies that anyone at Apple should be recoding the operating system, or any of it's underlying core technologies in order to prevent them from being used.
Beispiel: If the rightful user/administrator of any given OS X machine were to install the following shell script, how would it be Apple's responsibility to prevent this?
#!/bin/sh while true do killall ScreenSaverEngine sleep 60 done - m a t t h e w n . s h a r p mns(at)mnslab.com
Current thread:
- Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Patrick Haruksteiner (Jul 30)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Doug White (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Patrick Haruksteiner (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) mns (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Gavin Hanover (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Brian Eckman (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Fred Noltie (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Patrick Haruksteiner (Jul 31)
- Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) Doug White (Jul 31)
- <Possible follow-ups>
- RE: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14) CHRIS GRABENSTEIN (Jul 31)