Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
  home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability announce CVE-2012-4524

xlockmore: unlocking via dclock

Synthesis of the vulnerability

When the screen is locked with the dclock/random mode of xlockmore, it can stop on some systems, so a local attacker can access to user's session.
Impacted products: Fedora, NetBSD, Unix (platform).
Severity: 2/4.
Creation date: 18/10/2012.
Identifiers: BID-56169, CVE-2012-4524, FEDORA-2012-16485, FEDORA-2012-16490, VIGILANCE-VUL-12082.

Description of the vulnerability

The xlockmore program locks the screen of an X session.

It also displays a screen saver indicated by the "-mode" parameter:
 - coral: coral reef
 - dclock: digital clock
 - eyes: eyes following an object
 - etc.
The "random" mode periodically changes the mode.

The modes/dclock.c file implements the dclock mode. It uses the "long" C type to store the time. However, on a recent 32 bit system (such as NetBSD 6.0), the time_t is stored on 64 bits. An invalid pointer is then used, which stops xlockmore.

The victim can then lock his screen in mode "random", which will call the mode "dclock" a few minutes later, and stop.

When the screen is locked with the dclock/random mode of xlockmore, it can therefore stop on some systems, so a local attacker can access to user's session.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter 

Computer vulnerabilities tracking service

Vigil@nce provides computer vulnerability bulletins. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.



















Copyright 1999-2014 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française