[Full-Disclosure] RE: [VulnWatch] MacOSX - crash screensaver locked with password and get thedesktop back

From: Tim Yardley (liquid_at_haveheart.com)
Date: 07/07/03

  • Next message: morning_wood: "[Full-Disclosure] myServer - Remote Denial of Service"
    To: "'Delfim Machado'" <bipbip@xpto.org>, <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <product-security@apple.com>, <vulnwatch@vulnwatch.org>, <vuln@security.nnov.ru>, <bugs@securitytracker.com>
    Date: Mon, 7 Jul 2003 16:10:28 -0500
    
    

    From console:
    2003-07-07 15:59:40.973 ScreenSaverEngine[6247] Exception raised during
    posting of notification. Ignored. exception: *** -[NSCFArray
    objectAtIndex:]: index (0) beyond bounds (0)

    corresponding crashlog:
    Date/Time: 2003-07-07 15:59:38 -0500
    OS Version: 10.2.6 (Build 6L60)
    Host: liquid

    Command: ScreenSaverEngine
    PID: 6244

    Exception: EXC_BAD_ACCESS (0x0001)
    Codes: KERN_INVALID_ADDRESS (0x0001) at 0x822ae308

    Thread 0 Crashed:
     #0 0x9068ba64 in objc_msgSend
     #1 0x97df221c in NSPopAutoreleasePool
     #2 0x930b1dd0 in -[NSApplication run]
     #3 0x00004678 in 0x4678
     #4 0x00004328 in 0x4328
     #5 0x000041a8 in 0x41a8

    Thread 1:
     #0 0x90073c28 in mach_msg_trap
     #1 0x90005f70 in mach_msg
     #2 0xc0007758 in __ape_internal
     #3 0xc0001160 in __ape_agent
     #4 0x90020d28 in _pthread_body

    Thread 2:
     #0 0x90073c28 in mach_msg_trap
     #1 0x90005f70 in mach_msg
     #2 0x901489f0 in __CFRunLoopRun
     #3 0x90180f58 in CFRunLoopRunSpecific
     #4 0x90148240 in CFRunLoopRun
     #5 0x022000cc in thread_main
     #6 0x90020d28 in _pthread_body

    Thread 3:
     #0 0x90014d08 in syscall_thread_switch
     #1 0x97e03ef4 in +[NSThread sleepUntilDate:]
     #2 0x93081cac in -[NSUIHeartBeat _heartBeatThread:]
     #3 0x97e2cc50 in forkThreadForFunction
     #4 0x90020d28 in _pthread_body

    PPC Thread State:
      srr0: 0x9068ba64 srr1: 0x0000f030 vrsave: 0x00000000
       xer: 0x20000000 lr: 0x97df221c ctr: 0x9068ba3c mq: 0x00000000
        r0: 0x97df221c r1: 0xbffff440 r2: 0x24000280 r3: 0x025a2d80
        r4: 0x906ca0d0 r5: 0x00000000 r6: 0x00000000 r7: 0x02236f50
        r8: 0x0004d010 r9: 0x02266288 r10: 0x0004d290 r11: 0x85858584
       r12: 0x80048080 r13: 0x00000000 r14: 0x00000000 r15: 0x00000000
       r16: 0x00000000 r17: 0x00000000 r18: 0x00000000 r19: 0x00000000
       r20: 0x00000000 r21: 0x00000000 r22: 0x00000000 r23: 0x00000000
       r24: 0x00000000 r25: 0x00000000 r26: 0xbffffdf4 r27: 0x00000031
       r28: 0x00000005 r29: 0x025a2d80 r30: 0x00081460 r31: 0x97df20c0

    -----Original Message-----
    From: Delfim Machado [mailto:bipbip@xpto.org]
    Sent: Friday, July 04, 2003 9:23 AM
    To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com;
    product-security@apple.com; vulnwatch@vulnwatch.org; vuln@security.nnov.ru;
    bugs@securitytracker.com
    Cc: phiber@phibernet.org
    Subject: [VulnWatch] MacOSX - crash screensaver locked with password and get
    thedesktop back

    Hi all,

    three days ago i discovered a security issue, with the last MacOSX.

    there is a way to crash the screensaver locked with password and gain
    the desktop.

    how? - you ask.
    i don't know the exact amount of characters, only that if you leave a
    key pressed for 5 minutes or more and then hit the enter key, you crash
    the screensaver and gain access to the desktop.
    you can mess the desktop and all around it (network, mail, docs,
    anything you can imagine).

    i think that this is a huge secure hole and it must be corrected.

    i hope that this is good for everyone who cares about "how to secure
    your desktop".

    solution?
    wait until someone at the apple make a patch and realise it...

    here is the mail that i've sent to apple security people, they didn't
    replied :(

    -- BEGIN APPLE MESSAGE --
                                   To:
    product-security@apple.com
                              Subject:
    [BUG] forgot your screensaver
    password ?? Hackit anyway
    Hi all

    (tested machines at the bottom of this message)

    sorry about the subject, but there is a problem with the auth prompt
    when you have the screensaver running.

    i do not know the exact amount of characters to make the auth prompt
    blow up, but here is what i do:

    with the screensaver runnig, leave something at the top of the keyboard
    and leave it there for 5 or more minutes, then hit ENTER.
    The screensaver dies and you have your desktop open to anyone.

    desktop open, network open, hackers go away :)

    i'll wait for an answer until 3 of Jully and then send this problem to
    full-disclosure@lists.netsys.com and bugtraq@securityfocus.com

    if you need more time, please tell me that i'll wait until the patch be
    ready to deploy.

    OS tested: didn't get a mac not updated ... (uname -a)
    (Powerbook)
    Darwin roadrunner 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT
    2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc
    (iMac)
    Darwin MacLulo 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT
    2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc
    (Powerbook)
    Darwin Proenca-Powerbook17 6.6 Darwin Kernel Version 6.6: Thu May 1
    21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power
    Macintosh powerpc

    PS: MacOSX r0x, keep on the good way!

    -- END APPLE MESSAGE --

    Cheers

    --
    Delfim Machado - dbcm@xpto.org
    XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: morning_wood: "[Full-Disclosure] myServer - Remote Denial of Service"

    Relevant Pages