Two kids found a screensaver bypass in Linux Mint

Pierluigi Paganini January 16, 2021

The development team behind the Linux Mint distro has fixed a security flaw that could have allowed users to bypass the OS screensaver.

The maintainers of the Linux Mint project have addressed a security bug that could have allowed attackers to bypass the OS screensaver.

The curious aspect of this vulnerability is related to its discovery, in fact, it was found by two children that were playing on their dad’s computer.

The process is simple and allow the screensaver lock by-pass by crashing the screensaver and unlock the desktop via the virtual keyboard.

In order to reproduce the bypass on a locked system, click on the virtual keyboard, then type at the real keyboard while typing on the virtual keyboard, both at the same time, as many keys as possible.

“A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play… when the screensaver core dumped and they actually hacked their way in! wow, those little hackers…” states a bug report on GitHub.

“I thought it was a unique incident, but they managed to do it a second time. So I’d consider this issue… reproducible… by kids. I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard. Maybe not the best bug report, but I’ve seen the screenlock crash twice already with my own eyes, so its pretty real. One last thing, after the desktop is unlocked, I can’t re-lock it again, the screensaver process is pretty dead and requires me to open a shell and run ‘cinnamon-screensaver’ manually to get it working.”

Linux Mint lead developer Clement Lefebvre confirmed that the bug resides in the libcaribou, the on-screen keyboard (OSK) component that is part of the Cinnamon desktop environment used by Linux Mint.

“We’ll most likely patch libcaribou here” wrote Lefebvre. “We have two different issues:

  • In all versions of Cinnamon, the on-screen keyboard (launched from the menu) runs within the Cinnamon process and uses libcaribou. Pressing ē crashes Cinnamon.
  • In versions of Cinnamon 4.2 and higher, there’s a libcaribou OSK in the screensaver. Pressing ē there crashes the screensaver.”

The vulnerability is triggered when users press the “ē” key on the on-screen keyboard, this causes the crash of the Cinnamon desktop process. If the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver allowing users to access the desktop.

The issue was introduced in the Linux Mint OS since the Xorg update to fix CVE-2020-25712 heap-buffer overflow in October. The bug affects all distributions running Cinnamon 4.2+ and any software using libcaribou.

The vulnerability was addressed with the release of a patch for Mint 19.x, Mint 20.x and LMDE 4.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Mint)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment