Two children playing on their father’s computer found a vulnerability in the Linux Mint screensaver, in late December 2020. According to the father, who reported the case on a GitHub forum, the vulnerability allowed to circumvent the need for a password when trying to access the computer, after the screen saver. The vulnerability has been fixed by the developers.
Linux-based operating systems are known to be more secure, mainly for being open source, that is, with open source code for anyone who wants to check its integrity or functioning. Besides that, are updated frequently and in some cases, already are developed with safety in mind.
However, “a few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere, while I was standing behind, watching them play ”.
When the children managed to circumvent the screensaver, the father, identified only as “robo2bobo” on GitHub, did not believe what he had just seen. “I thought it was a unique incident, but they managed to do it a second time […] I saw the screen lock lock twice with my own eyes, so it’s very real, ”he writes.
“I tried to recreate the lock alone, without success, perhaps because it required more than 4 little hands typing and using the mouse on the virtual keyboard”.
The father explains that after the desktop is unlocked, it is not possible to lock it again. “The screen saver process is practically dead and it requires me to open a shell and run the cinnamon-screensaver manually to make it work, ”he explains.
To exploit this vulnerability, it was necessary to have a computer running Linux Mint with the Cinnamon user interface, lock the system, click on the virtual keyboard and type in as many keys as possible on the traditional keyboard.
Clement Lefebvre, responsible for Linux Mint, confirmed that the vulnerability existed in a process called libcaribou. The problem was corrected with the release of Mint 19.x and Mint 20.x patches published this Wednesday (13th).
“In all versions of Cinnamon, the on-screen keyboard (launched from the menu) runs within the Cinnamon process and uses libcaribou, pressing ē locks the system. In Cinnamon versions 4.2 and higher, there is an OSK [on-screen keyboard] libcaribou on the screensaver, pressing ē locks the screen saver”, Explains the system developer.
The developer explains that the team is working to add the ability to turn the on-screen keyboard on or off, which could prevent future vulnerabilities of this type.
See the original post at: https://thehack.com.br/criancas-descobrem-como-invadir-um-linux-mint-explorando-uma-falha-no-protetor-de-tela/?rand=48873