SysRq can be used to restart autologin #1899
Comments
Vogtinator
changed the title
|
First things first: Please do https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure. What you just did is irresonsible disclosure and is bad for everyone involved. IIUC SysRq+i is "kill-all-tasks(i)". What happens is that systemd stays alive and tries to restart the crashed sddm service. IMO this works as intended: If the sddm service fails during start, it should try again. From that PoV, the vulnerability is that a system which is meant to protect against a physically present attacker has SysRq enabled. It might be useful to have sddm save into |
I apologize for my un-professionalism and irresponsibility at reporting of this. I've tried to look for guidance on how to properly report vulnerabilities, or even a single mention of it on the SDDM Github page but i couldn't find any resources in 10 minutes of searching, I've got fed up and just made an issue about it. You are right about the reason this happens, SysRq never kills the init system (in our case SystemD) which ends up restarting everything as if the system just booted. My Idea for checking if an auto-login likely happened before or not is very crude but it could work; |
When the automatic login on boot option is enabled and the SysRQ Key is fully enabled.
Pressing
control+alt+PrtSc+Iinitiates the "on boot auto-login" sequence, bypassing all possible lock screen methods with it.This logs in anyone that has physical access to the computer into the default user just by pressing the above mentioned key combination.
This exploit can be triggered on many systems, primarily on the systems of technical and privacy centrist users because:
The SysRQ key is often enabled by advanced users to avoid having to force power off their computer in case of a system lock up.
Auto-login is often enabled by users that use full disk encryption to eliminate the need for having to enter their password twice.
The text was updated successfully, but these errors were encountered: