Regarding the Security Issue, Apple Bug Friday CXIII

Monday, 2007-09-10; 16:19:00

I mentioned yesterday that the security issue regarding being able to send keystrokes through the screensaver was not completely reproducible.

It is now.

Here's how you reproduce it:

  1. Open up System Preferences, and go to the Universal Access preference pane.
  2. Check the "Enable access for assistive devices" box.
  3. Click the "Show All" button in the toolbar of System Preferences. Go to the Network preference pane.
  4. Select "AirPort" in the Show popup menu. Click the AirPort tab.
  5. Authenticate, if necessary, by clicking the lock in the bottom-left corner and entering in an admin name and password.
  6. Check the "Show AirPort status in menu bar" box.
  7. Click the "Options..." button.
  8. Check the "Create Computer-to-Computer networks" button.
  9. Click "OK".
  10. Click "Apply Now" and authenticate again, if necessary.
  11. Log in to a non-administrator user.
  12. Again open System Preferences. Go to the Security preference pane.
  13. Check the "Require password to wake this computer from sleep or screen saver" box.
  14. Click "Show All" in the toolbar of System Preferences.
  15. Go to the Desktop & Screen Saver preference pane
  16. Click the "Hot Corners..." button.
  17. Make sure at least one corner has "Start Screen Saver" in the appropriate pop-up menu.
  18. Click OK. Quit System Preferences.
  19. Open Script Editor. Paste in the following script:
    delay 10
    activate application "SystemUIServer"
    tell application "System Events"
            tell process "SystemUIServer"
                    click menu bar item 1 of menu bar 1
                    delay 2
                    click menu item "Create Network…" of menu 1 of menu bar item 1 of menu bar 1
                    delay 2
                    click button "OK" of window 1
            end tell
    end tell

  20. Click "Run" in the toolbar of Script Editor.
  21. Quickly move your mouse to the hot corner you set up to activate the screen saver.
  22. Wait three seconds, then move the mouse to activate the authentication panel of the screen saver.
  23. Wait a few more seconds, and when the important part of the script starts (after delaying for 10 seconds), you'll notice that the authentication panel will suddenly lose focus -- the blue ring around the password field will disappear. It will actually kind of blink a few times as the script does its stuff, but at the end it leaves the screen saver authentication panel unfocused.
  24. Mash on the keyboard. Note that nothing shows up in the screen saver authentication panel.
  25. Manually click on the screen saver authentication panel, and type in your name and password. The screen saver will deactivate, leaving you with the AirPort authentication panel on your screen, complete with the keystrokes you mashed on the keyboard in the username field of the authentication panel, presented in clear text. Not good.

Note: if your primary language is set to something other than English, the script will fail. You'll need to manually change "Create Network…" in the script to the localized menu item, complete with an ellipsis at the end -- ellipses are created with the keystroke ⌥; . Additionally, your AirPort menu must be at the very left of the right-hand portion of the menu bar.

You can dismiss the AirPort authentication panel by pressing escape, but after that I can't seem to send any keystroke events to any other applications. So it doesn't really seem like too bad of a security issue excepting that one real-world scenario I presented earlier. (Incidentally, this is why I am publishing this stuff here; if it were a bigger problem, I'd probably give Apple more time to fix it before publishing the issue.)

And yes, these steps have been added to my bug report.

Technological Supernova   Apple Bug Friday   Older   Newer   Post a Comment