[10888] in bugtraq
Security flaw in klock
daemon@ATHENA.MIT.EDU (Maurizio Paolini)
Wed Jun 23 13:39:16 1999
Message-Id: <199906230823.KAA28861@gauss.dmf.bs.unicatt.it>
Date: Wed, 23 Jun 1999 10:23:26 +0200
Reply-To: Maurizio Paolini <paolini@DMF.BS.UNICATT.IT>
From: Maurizio Paolini <paolini@DMF.BS.UNICATT.IT>
To: BUGTRAQ@NETSPACE.ORG
Hello,
this is my first post to this list, so please forgive me if this
is off topic or badly formulated.
It seems to me that anyone can take control of a local kde session
locked with klock (the default locking mechanism of kde).
This was discovered by my 7 years old son, who was just trying
to gain control of my session by typing randomly on the keyboard, and
it just involves the "backspace" key and the "enter" key, and perhaps
the "caps lock" key.
It actually takes a few tries, and I don't know of a precise sequence
of keys. What I do is
1. wait for the "enter password" message.
2. press the "caps lock" once or twice.
3. press the "backspace" six times with different timings each try.
4. press the enter key.
After a few tries (usually five to ten...) klock dies with no message.
If this is confirmed by someone else it seems to be a serious
flaw of klock (or a backdoor?)
Thank you,
Maurizio Paolini
