____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2004-0001 Release Date: 04/01/2004 Title: Mutliple Screensaver - Information Disclosure Application/OS: Screensavers that use screenshots as entropy Topic: Risk of sensitive information disclosure after locking of a workstation. Vendor Status: Multiple Vendor - N/A Attributes: Information Disclosure, Physical Access Advisory URL: http://www.caughq.org/advisories/CAU-2004-0001.txt Author/Email: I)ruid (druid@caughq.org) ===============/======================================================== Overview ======== An information disclosure vulnerability exists with some popular screensavers. Screensavers that use snapshots of the underlying desktop may reveal sensitive information if the screensaver is intended to lock a user's workstation while they are away. Impact ====== Sensitive information may be disclosed after a workstation is locked and presumed protected. Severity varies depending on the user, the type of information usually presented to that user by the affected system, and the particular screensaver that is running at the time. Affected Systems ================ Any system displaying a screensaver that users screen captures as entropy. Technical Explanation ===================== Some screensavers, either during startup or periodically throughout their execution, take snapshots of the underlying desktop and use that image within the screensaver itself. A malicious user with keen eyes may be able to view sensitive information that is displayed on the desktop but was meant to be protected by the obfuscation the screensaver provides when the workstation is locked. Such information that could potentially be viewed this way include email content, intranet content via an open browser, instant messages configured to raise to the foreground that arrive after the workstation is locked, office document information such as contracts or spreadsheets, etc. An (incomplete) list of some of the offending screensavers are: Xscreensaver: Bumps, Distort, Flipscreen, Gflux, Jigsaw, Ripples, Rotzoomer, Slidescreen, Spotlight, Twang, XteeVee, and Zoom. Solution & Recommendations ========================== Disable the offending screensaver from being used, or configure it so that it uses a pre-defined image rather than a snapshot of the desktop. Exploitation ============ Watch the locked workstation, wait for a vulnerable screen-saver to be used, and note any information you may see. To do this covertly, use binoculars or a telescope from a distance. Credits & Gr33ts ================ B1G-ups t3w: CAU, EFNet #C, NWH, Dr. Emmett Brown (for making time travel possible), and all the authors of the screensavers mentioned above.