Security Alert - Bypass Block Screen Important! Exploit!

[d0c]

Hello together,

I'm new to the forum and couldn't find any category security -sadly, so I try it here.
About 2-3 weeks ago I wrote the root of this page Clement Lefebvre about an installation issue with initframfs making my screen black on reboot not beeing able to boot anymore.
He advised me to look at https://bugs.launchpad.net/ubuntu/+sour ... ug/1713004 .

After reinstallation the system ran again, I've put the update above on blocklist.
However - accidently after using Bleachbit that list was removed and the update installed.
After rebooting the system the same problem happened again.
But this time - desperately I tried out a trick unplugging my second monitor from the (nvidia) card.

And I could see the bootscreen again. So far so good.
After beeing logged in and AFK the screensaver (default mint) was activated as usual and after 30 min screen turned off.

Now the exploitation story starts.

When returned to my PC, I moved the mouse and the background was visible again, while the "Edit Field" for entering the password to unlock screenblocker was disabled.
I couldn't type - I've tried everything , but without result.
Mouse could be moved but everything else looked disabled.

So I first tried Ctrl Alt F2, logged in tty2 and started x.
Worked, until I was AFK again, same story happened over and over.

I then changed the driver from xorg to nvidia 348 as recommended and rebooted.

This did not yield any result, letting me try out different settings with energy settings, different screensavers and so on.
Indeed , after disabling 'monitor off' after 30 min, it kept running, but after a few hours same behaviour happened again
and the settings got even deleted.

After beeing locked out every time and loosing all my open sessions I tried the alternative combo Ctrl Alt backspace after my screen was frozen again.
X was shut off and restarted but guess what??? NO PASSWORD REQUIRED!

I am no graphics driver / kernel developer BUT I combine the latest initframfs update in combination with nvidia graphics card with DUAL SCREEN attached (VGA+HDMI)
yielding this instable behaviour starting at boottime, crashing the session after lockscreen activation + standbymode for monitor after 30 Min.+ .
After the screen is hanging the keycombo Ctrl Alt backspace restarts xserver WITHOUT PASSWORD PROMPT.

All other installations run perfectly stable with one screen attached.
The keycomponents must therefor be:
-multi screen attached (VGA + HDMI)
-possibly nvidia card
-default (!) screensaver config

I've reproduced it for about 10 times now, over and over again.

I'm using 18.3 Mint.

Who can reproduce this behaviour?

By theory this could be simply exploited by attaching another display and waiting 30-60 minutes go gain full system access on physical systems
Atleast this is the case here on my system.

Backdoor?

Awaiting responses

best greets

Lark Lizerman

[DAMIEN1307]

hi lark...bleachbit is well known to cause problems for new linux users...hell its been known to entirely bork systems for "seasoned" linux users...it has also been called a "wrecking ball"...if this was me, i would do your re-install as i believe that since it worked the last time it should also do so this time...then i WOULD NOT INSTALL BLEACHBIT....the only safe way i know of for "cleaning" a linux system even though it is really not necessary to do so because linux just doesnt really accumulate junk etc., is to "copy" and "paste" these following commands into the "terminal"...

1 - To auto clean/auto remove from the system, copy and paste these commands one at a time, and click "enter"...you will be prompted for your password but the (password will not show your typing it) and click enter...

A - sudo apt autoclean

B - sudo apt autoremove


2 - To Clear the thumbnail cache from the system, copy and paste these commands also one at a time and click enter...(it will not ask for a password)...

A - rm -v -f ~/.cache/thumbnails/*/*.png ~/.thumbnails/*/*.png

B - rm -v -f ~/.cache/thumbnails/*/*/*.png ~/.thumbnails/*/*/*.png


and thats it, thats all you should ever need to do to keep a well kept, smooth and stable operating system (as well as always keeping it updated)...hope this is of help...DAMIEN

[Pjotr]

You're being overly and needlessly alarmist.

First of all: stay away from software wrecking ball BleachBit, as Damien already pointed out.

Secondly, security in Linux Mint is by default much better than in Windows, so there's absolutely no reason at all to shout about exploits: https://sites.google.com/site/easylinux ... t/security

Thirdly, for troubleshooting your other problems, please generate an overview of your system like this:

- Launch a terminal window (this is how to launch a terminal window);

- make the terminal window full screen, to avoid chopped lines;

- copy/paste this command into the terminal:

Code: Select all

inxi -Fxz

(if you type: the letter F is a capital letter)

- Press Enter.

- Copy/paste the output in your next message.

[karlchen]

Hello, Damien1307 and Pjotr.

Do I really have to point out that you both chose to pick some random keywords from d0c's very detailled report in order not to reply to the main topic. But this topic is clearly given in the thread title and has been explained in d0c's post.

The issue which this thread is about is not Bleachbit and not NVidia.
Rather it is the question whether
+ on a given Mint system (I assume Ubuntu would be affected as well)
+ where two minitors are connected
+ it is possible to trick the X server into restarting into a fully usable desktop session
+ without having to enter the user's login credentials anywhere in the cause of the process.

Simply stating Linux as such were more secure than Windows is
a) common-place
b) not on topic, because this is not the issue here.

Admittedly I am not convinced that d0c has reported an unfixed security hole, because at some point in the process he mentioned logging in on a console monitor, which requires the user credentials, something an intruder would not know.

Anyway, we should stay on topic and not try to drive this thread offtopic.

Regards,
Karl

[d0c]

hello,

@pjotr: I am no n00b

I've upgraded CPU microcode and restarted (cold) the system.
I will keep you updated if there is anything new.
I don't want to post this in a dramatic way, that's not my intention
but since you probably read the Intel's AMT Ctrl+P "exploit" few days ago,
attaching a second screen through VGA cable , making Xserver instable and restarting it with Ctrl Alt backspace I personally see in a veeeery critical light.

That's the situation I am sitting in front of right now.
PS: The problem occured after the last update, not after using bitbleacher!

It has direct coincidence with the updates.

I've also just run upgrade, maybe it was a temporal state.
Very strange however.

If any of you can find or reproduce this please keep results updated.

BTW the output

Code: Select all

System:    Host: DEFCON Kernel: 4.13.0-26-generic x86_64 (64 bit gcc: 5.4.0)
           Desktop: Cinnamon 3.6.7 (Gtk 3.18.9-1ubuntu3.3)
           Distro: Linux Mint 18.3 Sylvia
Machine:   Mobo: ASUSTeK model: M5A97 R2.0 v: Rev 1.xx
           Bios: American Megatrends v: 2603 date: 06/26/2015
CPU:       Octa core AMD FX-8320E Eight-Core (-MCP-) cache: 16384 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm) bmips: 55483
           clock speeds: max: 3200 MHz 1: 1400 MHz 2: 1400 MHz 3: 1400 MHz
           4: 1400 MHz 5: 1400 MHz 6: 3200 MHz 7: 1400 MHz 8: 1400 MHz
Graphics:  Card: NVIDIA GK107 [GeForce GT 740] bus-ID: 01:00.0
           Display Server: X.Org 1.18.4 drivers: nouveau (unloaded: fbdev,vesa)
           Resolution: 1920x1080@60.00hz, 1920x1080@60.00hz
           GLX Renderer: NVE7
           GLX Version: 3.0 Mesa 17.2.4 Direct Rendering: Yes
Audio:     Card-1 NVIDIA GK107 HDMI Audio Controller
           driver: snd_hda_intel bus-ID: 01:00.1
           Card-2 Advanced Micro Devices [AMD/ATI] SBx00 Azalia (Intel HDA)
           driver: snd_hda_intel bus-ID: 00:14.2
           Sound: Advanced Linux Sound Architecture v: k4.13.0-26-generic
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169 v: 2.3LK-NAPI port: d000 bus-ID: 02:00.0
           IF: enp2s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Drives:    HDD Total Size: 250.1GB (47.5% used)
           ID-1: /dev/sda model: Samsung_SSD_850 size: 250.1GB
Partition: ID-1: / size: 197G used: 81G (43%) fs: ext4 dev: /dev/dm-1
           ID-2: /boot size: 473M used: 189M (43%) fs: ext2 dev: /dev/sda2
           ID-3: swap-1 size: 34.25GB used: 0.00GB (0%) fs: swap dev: /dev/dm-3
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 16.4C mobo: N/A
           Fan Speeds (in rpm): cpu: 0
Info:      Processes: 252 Uptime: 1:37 Memory: 2828.7/32069.7MB
           Init: systemd runlevel: 5 Gcc sys: 5.4.0
           Client: Shell (bash 4.3.481) inxi: 2.2.35

[Pjotr]

Worth a try: roll back to the latest kernel of the 4.4 series (currently 4.4.0-109), then launch Driver Manager and install the closed non-free Nvidia driver it'll probably offer you.

[d0c]

just a little update.
I've installed AMD microcode update
and the xserver is now running stable.
Seems that it was an instable constellation of versions.
Could anyone else reproduce something similar?