[30611] in bugtraq
Re: MacOSX - crash screensaver locked with password and get the desktop
daemon@ATHENA.MIT.EDU (Adam H. Pendleton)
Mon Jul 7 16:05:45 2003
Message-ID: <3F098D4D.10600@fmonkey.net>
Date: Mon, 07 Jul 2003 11:10:05 -0400
From: "Adam H. Pendleton" <fmonkey@fmonkey.net>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <1057328741.1655.172.camel@localhost.localdomain>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Delfim Machado wrote:
>three days ago i discovered a security issue, with the last MacOSX.
>
>there is a way to crash the screensaver locked with password and gain
>the desktop.
>
This isn't a new issue; well not exactly. The method for crashing to
screensaver is new to me, but the result isn't. When I first got my
Powerbook (December of last year), it came with a .Mac screensaver
which, IIRC, attempts to load its slideshow images off the Internet. At
the time, I was able to crash the .Mac screensaver by pulling the
network plug while the screensaver was trying to update its images.
Doing this caused the screensaver to crash and the Desktop to return
(despite password locking). I reported this vulnerability to Apple, but
never got a response, and it obviously hasn't been fixed. I don't have
an exact date on when I originally reported it, but I believe it was
sometime in January '03.
ahp
