*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Hi, my little daughter discovered a logon screen bypass in Ubuntu Mate 21.10 after hitting the keyboard for a while. It turns out that several keyboard shortcuts are allowed while Ubuntu Mate is locked (arctica-greeter): - Mod4 + S (mate-search-tool) - Mod4 + E (Open Caja / File Explorer) - CTRL + Shift + Esc (mate-system-monitor) - PRNT (Screenshot) All of the mentioned shortcuts could be used to spawn a file explorer (Caja) or various other binaries as user "lightdm", who owns the logon screen. Although an interactive terminal like mate-terminal, xterm, lxterm etc. could not be opened directly, there are various options to run commands as the lightdm user, for example by creating a shell script using "caja", and execute it directly using the GUI. I've attached Proof-of-Concept GIFs for all shortcuts mentioned above. There might be additional shortcuts that could be used to achieve the same, however I'm not aware about every shortcut that is configured, but I suppose that the root cause is located somewhere in arctica-greeter, rather than within every single binary launched by shortcuts. The bug was reproduced on a fresh installation of Ubuntu Mate 21.10. I haven't tested other versions of Ubuntu Mate yet. Please find additional version details below: $ apt-cache policy lightdm lightdm: Installed: 1.30.0-0ubuntu4 Candidate: 1.30.0-0ubuntu4 Version table: *** 1.30.0-0ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages 100 /var/lib/dpkg/status $ apt-cache policy arctica-greeter arctica-greeter: Installed: 0.99.1.5-2nmu1 Candidate: 0.99.1.5-2nmu1 Version table: *** 0.99.1.5-2nmu1 500 500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages 100 /var/lib/dpkg/status Thanks, Basti ** Affects: ubuntu-mate Importance: Undecided Status: New ** Affects: arctica-greeter (Ubuntu) Importance: Undecided Status: New ** Affects: lightdm (Ubuntu) Importance: Undecided Status: New ** Affects: mate-settings-daemon (Ubuntu) Importance: Undecided Status: New ** Tags: groovy hirsute impish -- Logon screen can be bypassed using various shortcuts https://bugs.launchpad.net/bugs/1948339 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
