[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Security flaw in klock
From:       Maurizio Paolini <paolini () DMF ! BS ! UNICATT ! IT>
Date:       1999-06-23 8:23:26
[Download RAW message or body]

Hello,
this is my first post to this list, so please forgive me if this
is off topic or badly formulated.

It seems to me that anyone can take control of a local kde session
locked with klock (the default locking mechanism of kde).

This was discovered by my 7 years old son, who was just trying
to gain control of my session by typing randomly on the keyboard, and
it just involves the "backspace" key and the "enter" key, and perhaps
the "caps lock" key.

It actually takes a few tries, and I don't know of a precise sequence
of keys.  What I do is

1. wait for the "enter password" message.
2. press the "caps lock" once or twice.
3. press the "backspace" six times with different timings each try.
4. press the enter key.

After a few tries (usually five to ten...) klock dies with no message.

If this is confirmed by someone else it seems to be a serious
flaw of klock (or a backdoor?)

Thank you,

Maurizio Paolini

[prev in list] [next in list] [prev in thread] [next in thread]