-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following vulnerability was posted on the bugtraq list at
www.securityfocus.com. I felt it worthy of cross-posting. It affects
screensaver passwords. Hopefully we'll get a fix in the next update.
Chris
- ---------- Forwarded Message ----------
Subject: MacOSX - crash screensaver locked with password and get the desktop
back
Date: Friday 04 July 2003 07:25 am
From: Delfim Machado <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Hi all,
three days ago i discovered a security issue, with the last MacOSX.
there is a way to crash the screensaver locked with password and gain
the desktop.
how? - you ask.
i don't know the exact amount of characters, only that if you leave a
key pressed for 5 minutes or more and then hit the enter key, you crash
the screensaver and gain access to the desktop.
you can mess the desktop and all around it (network, mail, docs,
anything you can imagine).
i think that this is a huge secure hole and it must be corrected.
i hope that this is good for everyone who cares about "how to secure
your desktop".
solution?
wait until someone at the apple make a patch and realise it...
here is the mail that i've sent to apple security people, they didn't
replied :(
- -- BEGIN APPLE MESSAGE --
To:
[EMAIL PROTECTED]
Subject:
[BUG] forgot your screensaver
password ?? Hackit anyway
Hi all
(tested machines at the bottom of this message)
sorry about the subject, but there is a problem with the auth prompt
when you have the screensaver running.
i do not know the exact amount of characters to make the auth prompt
blow up, but here is what i do:
with the screensaver runnig, leave something at the top of the keyboard
and leave it there for 5 or more minutes, then hit ENTER.
The screensaver dies and you have your desktop open to anyone.
desktop open, network open, hackers go away :)
i'll wait for an answer until 3 of Jully and then send this problem to
[EMAIL PROTECTED] and [EMAIL PROTECTED]
if you need more time, please tell me that i'll wait until the patch be
ready to deploy.
OS tested: didn't get a mac not updated ... (uname -a)
(Powerbook)
Darwin roadrunner 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT
2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc
(iMac)
Darwin MacLulo 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT
2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc
(Powerbook)
Darwin Proenca-Powerbook17 6.6 Darwin Kernel Version 6.6: Thu May 1
21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power
Macintosh powerpc
PS: MacOSX r0x, keep on the good way!
- -- END APPLE MESSAGE --
Cheers
- --
Delfim Machado - [EMAIL PROTECTED]
XPTO:: Portuguese OpenSource Community - http://lab.xpto.org
- -------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE/CQNnOi1zsclTlgwRAg47AKC4DhVeJz9MQXi5Ok/Y7XfgRe5GKwCg2ZgX
c8M6OyVikfFKgJ7yA18OGt0=
=1Kn9
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Fink-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-users
