(CVE-2023-43090) Screenshot tool allows viewing open windows when session is locked
Objet : RE: New Security Issue (Teams/Releng/security#112)
Thank you ! Here is the report.
GNOME (GNU Network Object Model Environment) is a free and open-source desktop environment for Linux. We discovered an authentication bypass that could be exploited to display the open applications while a GNOME session is locked.
Description
GNOME Screenshot is a utility for taking screenshots. It provides several options, including capturing the whole desktop or just a single window.
It could be executed through keyboard shortcuts or using the panel button. When the user session is locked, the "single window mode" and "video" capture buttons are disabled and it is not possible to click on it.
However, some keyboard shortcut has not been disabled and access to open applications is therefore possible.
Exploit
On a locked user session, GNOME Screenshot could be executed using the taskbar or keyboard PrtSc shortcut:
[https://res-h3.public.cdn.office.net/assets/mail/file-icon/png/photo_16x16.png]screenshot1.pnghttps://hubonefr-my.sharepoint.com/:i:/g/personal/mickael_karatekin_hubone_fr/EUnxM0O-Qi9Picxjd1zvuTsBPzCfg_E9LDo2fpZUrUbVBQ
The "single window mode" and "video" buttons seem to be disabled:
[https://res-h3.public.cdn.office.net/assets/mail/file-icon/png/photo_16x16.png]screenshot2.pnghttps://hubonefr-my.sharepoint.com/:i:/g/personal/mickael_karatekin_hubone_fr/ERML2dnuR-JBloB1hBzwz-wBCQ7U7h31u6jBfqgrtkIDhA
However, we could access the user opened applications by pressing twice the "V" then once the "W" key:
[https://res-h3.public.cdn.office.net/assets/mail/file-icon/png/photo_16x16.png]screenshot3.pnghttps://hubonefr-my.sharepoint.com/:i:/g/personal/mickael_karatekin_hubone_fr/EeblnIz7xk9Mlmazw7hG9EcBUPMRNfXdNe8Tiw33g5kScw [https://res-h3.public.cdn.office.net/assets/mail/file-icon/png/photo_16x16.png]screenshot4.pnghttps://hubonefr-my.sharepoint.com/:i:/g/personal/mickael_karatekin_hubone_fr/EerQMthoAtxBkV9GAkAWovoBjCVeIlv-yGm20ELQo28gAA
As a result, applications are displayed:
[cid:32ac7d7a-f05a-44a2-94f0-5cde5e831ed7]screenshot5.png
Affected version
GNOME <= 44.4
Thank you for reading this report !
Mickael KARATEKIN
De : Michael Catanzaro (@mcatanzaro) gitlab-issues@gnome.org Envoyé : dimanche 3 septembre 2023 19:32 À : KARATEKIN Mickael m.karatekin@sysdream.com Objet : Re: New Security Issue (Teams/Releng/security#112)
ATTENTION : Ce mail provient de l'extérieur de Hub One. Portez une attention particulière aux liens et sites vers lesquels ce message peut vous connecter. Ne fournissez jamais d’informations confidentielles ni de mots de passe.
Michael Catanzarohttps://gitlab.gnome.org/mcatanzaro wrote:
Hi, if you have a single vulnerability to report, you can respond to this issue by replying to this email. Thanks!
If you have multiple vulnerabilities to report, you can create new issues by sending an email to incoming+teams-releng-security-12388-issue-@gitlab.gnome.orgmailto:incoming+teams-releng-security-12388-issue-@gitlab.gnome.org which is equivalent to using the web form.
— Unsubscribehttps://gitlab.gnome.org/-/sent_notifications/REDACTED/unsubscribe