Source: Qubit
The Linux system was actually "hacked" by two kids who didn't know any technology.
They just clicked randomly on the keyboard and the screen to easily bypass the password and enter the locked Linux system desktop.
Recently, a programmer father was like this, watching his computer "broken" by his child.
As a programmer, his first thought is not to beat and scold children, but how to reproduce loopholes.
He found that this loophole was indeed caused by children's random pressing. Under certain special key combinations, the Linux screen lock process would crash, thus bypassing the password.
In other words, as long as someone knows this vulnerability, they can secretly open a Linux computer that someone else has locked without a password.
He reported the situation to the official GitHub, and finally this strange vulnerability was officially fixed last week.
But this does not reassure programmers that the security vulnerabilities caused by the crash of the Linux desktop process have emerged one after another over the years, and you never know what the next bug will be.
C/C++ learning skirt [7, 12, 2, 84, 705], whether you are a novice or an advanced person, whether you want to change careers or want to enter a career, you can come to understand and learn together! There are development tools in the skirt, a lot of dry goods and technical information to share!
Desktop system loopholes in children's "wild killing"
How did these two children "discover" this loophole?
After the programmer father locked his computer, the children tried to unlock it and started typing on the computer keyboard.
△ roughly this style
Suddenly, the screen saver interface disappeared, and the children successfully entered the Linux system.
what? Didn't even enter the password?
He asked them to demonstrate again. This time, the children did the same, but they were still just "typing" the keyboard.
Too strange.
After the two children left, he tried it quietly by himself, but failed.
But he believes that this must be a loophole, because he has seen it twice.
The desktop system used by the programmer's father is Cinnamon (one of the Linux desktop environments). He speculates whether there is any strange bug in Cinnamon, and the desktop can be unlocked without entering a password.
At 10:30 that evening, he reported the bug on Linux Mint's GitHub page and described the scene of the children typing on the keyboard:
They pressed the physical keyboard and the on-screen virtual keyboard at the same time, and they pressed as many virtual keyboards as possible.
As soon as the news came out, some netizens said that they also encountered this problem, and the desktop system they used was also Cinnamon.
Subsequently, Linux Mint programmers rushed to the scene.
After inspection, it was found that this is indeed a bug, and desktop systems above Cinnamon 4.2 will be affected, because this version starts to support on-screen virtual keyboards.
The specific behavior that caused this bug is: long press the "e" key and select "ē" on the virtual keyboard.
Now, Linux Mint has released a new patch for this vulnerability, but you need to install it manually.
Life is short, it is better to use KDE (manual dog head).
Great God: I warned them 17 years ago
For such ridiculous and simple loopholes, programmers from all walks of life naturally complain about the Linux desktop.
The GitHub issue page on this issue is broken by programmers.
Some people say: This CVE should be attributed to the children...
Someone also posted a meme in their reply: I think programmers should reproduce bugs like this.
But the most ruthless one is the famous programmer jwz.
In the early hours of this morning, the great god tweeted an article to complain about this matter, the title is "I have told you the 2021 edition".
Because as early as 17 years ago, he warned Cinnamon and GNOME officials:
If XScreenSaver is not running on Linux, then your screen is equivalent to not being locked.
After that, every few years, jwz will come out and say this again.
Jwz also joked that the "rollover" was accidental once, coincidence twice, destruction by the enemy three times, and official GNOME four times.
And these four security vulnerabilities, jwz has detailed records:
-
CVE-2019-3010, which can be upgraded with special privileges from the Oracle Solaris screen saver;
-
CVE-2014-1949, MDVSA-2015: 162: Press the menu key in the Cinnamon screen saver, and then press the ESC key to enter the shell;
-
Press and hold the down button to unlock the Cinnamon screen saver;
-
Press and hold the Enter key to unlock the GNOME screen saver.
Fix new vulnerabilities caused by bugs
The Linux Mint vulnerability was caused by fixing another bug before March.
This vulnerability exists in the Linux display service xorg-x11-server, and its biggest threat is the threat to data confidentiality and integrity and system availability.
What's even more ambiguous is that when Ubuntu 20.04 backported xorg, it escaped because of using version 1.20.9 without the bug.
When the Ubuntu developers realized that they had not applied the CVE-2020-25712 patch, they were hit by a new vulnerability.
As a result, after the xorg update is repaired, anyone can crash the screen locker and enter the desktop.
Coincidentally, this is reminiscent of another "low-level" vulnerability in GNOME two months ago.
Should GNOME take care of this pot? Jwz believes that, in the final analysis, it is because the current Linux graphical interface foundation X11 has serious problems that cannot be repaired:
1. Locking and authentication are operating system level issues.
Although X11 is the core of the Linux computer operating system, its design has no security at all. Locking programs must run like ordinary, unprivileged user-level applications.
2. This error of X11 architecture can never be repaired.
X11 is too old, too rigid, and too many stakeholders cannot make any meaningful changes to it. This is why people keep trying to replace X11 and fail because it is deeply rooted.
Although there is now Wayland as an alternative to X11, there are still some defects in the Ubuntu desktop after replacing Wayland.
For example, after waking up the computer, it will stay on the original desktop for 10-20 seconds to enter the lock screen state. During this process, the privacy of the desktop will be unobstructed.
In view of the security problems of the Linux desktop, in order to prevent the undiscovered vulnerabilities from being exploited, some users suggest to install XSecureLock first and put on a lock.
I am eagerly looking forward to hearing how they solve this problem.
jwz said in his blog.
