Ubuntu 14.04 lockscreen bypass

Published: 2014-04-28
Last Updated: 2014-04-28 17:53:46 UTC
by Russ McRee (Version: 1)
4 comment(s)

ISC Handler Rob let us know that @hdmoore Tweeted out: "Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): "

The reporter indicates that he was running Ubuntu 14.04 with all the packages updated.
When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen crashes. After that the computer is fully unlocked.

The initial report states that the "bug is about the lockscreen being bypassed when Unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750."

To reproduce:
1) Open the lockscreen (Super+L)
2) Hold Enter down
.... wait .....
*Crash*
Expected:
*No crash*
Stacktrace:
http://paste.ubuntu.com/7263684/

From the bug tracker, the fix has been committed and released. Be cognitive of this issue should you leave an Ubuntu 14.04 host unattended. :-)

Russ McRee | @holisticinfosec

Keywords: Ubuntu
4 comment(s)

Comments

Odd... Unless "some" seconds is defined as triple digits or more, I get "Invalid password, please try again" displayed. No crash, no strace, just the message.
Bad design. The lockscreen process ought to be monitored in the background by something that will force logout; if the lockscreen or monitor process is killed, crashes, or exits in an unexpected manner.
"From the bug tracker, the fix has been committed and released. Be cognitive of this issue should you leave an Ubuntu 14.04 host unattended. :-)"

Shouldn't the recommendation be patch? It's easy enough
I was not able to recreate this problem on my computer running Ubuntu 14.04. According to the bug tracker link quoted in this diary post this bug was fixed on 4/17/2014 "in a heroic effort over night *before* final release, the fix is on the 14.04 image that was released to end users."

Diary Archives