Cleaning Lady Attack Possible on Debian and Ubuntu Desktop

We have recently discovered that possibly all screensavers with lock capabilities are prone to a cleaning lady attack. By issuing Alt+SysRq+f you (or a malicious cleaning lady) can make the OOM killer kill your screensaver process and give you access to the screen. This works with xscreensaver, xlock and gnome-screensaver (Debian Bug). As a hotfix, you can write

# echo 446 > /proc/sys/kernel/sysrq

to disable killing of processes with Alt+SysRq+f.

CC-BY-SA Torkild Retvedt
CC-BY-SA Torkild Retvedt

11 thoughts on “Cleaning Lady Attack Possible on Debian and Ubuntu Desktop”

  1. It does not work every time with gnome screensaver, but we were able to kill it that way. Morten wrote that comment before we had thoroughly tested gnome screensaver.

  2. For attack to actually work you must somehow arrange things such that screensaver gets the highest rank. How can you do this without prior access to the machine?
    Anyway, probably all programs that can be killed and that will reveal access upon getting killed are vulnerable. Including good ol’ vlock. The proper fix would require kernel to ensure that such kind of processes won’t ever get killed by OOM. In case of X screensavers there may be easier solutions tho.

  3. M: Remember that it is possible to connect another keyboard to your usb port :)

  4. I tried the fix posted here. It did not work. The oom killer still worked. After a reboot, the value was reset to 1.

    Setting it to 0 (echo 0 > /proc/sys/kernel/sysrq) does work. But i think it disables the alt+sysrq combinations altogether.

    The oom killer still works, even it doesnt kill the screensaver first. Pressing repeatedly it will kill the high mem usage processes, eventually might get to the screensaver. Using the blank screensaver the score is very low, so the oom killer kills other stuff first such as browsers etc.

Comments are closed.