We have recently discovered that possibly all screensavers with lock capabilities are prone to a cleaning lady attack. By issuing Alt+SysRq+f you (or a malicious cleaning lady) can make the OOM killer kill your screensaver process and give you access to the screen. This works with xscreensaver, xlock and gnome-screensaver (Debian Bug). As a hotfix, you can write

# echo 446 > /proc/sys/kernel/sysrq

to disable killing of processes with Alt+SysRq+f.

CC-BY-SA Torkild Retvedt

CC-BY-SA Torkild Retvedt

11 Responses to “Cleaning Lady Attack Possible on Debian and Ubuntu Desktop”

  1. Anonymous Says:

    This does not work with gnome-screensaver, default for Ubuntu.

    http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg202971.html

  2. Håvard Espeland Says:

    It does not work every time with gnome screensaver, but we were able to kill it that way. Morten wrote that comment before we had thoroughly tested gnome screensaver.

  3. M Says:

    The advantage of having an Apple keyboard is that it lacks a SysRq key.

  4. Aaron Toponce Says:

    I cannot reproduce this with gnome-screensaver on debian sid

  5. mwgamera Says:

    For attack to actually work you must somehow arrange things such that screensaver gets the highest rank. How can you do this without prior access to the machine?
    Anyway, probably all programs that can be killed and that will reveal access upon getting killed are vulnerable. Including good ol’ vlock. The proper fix would require kernel to ensure that such kind of processes won’t ever get killed by OOM. In case of X screensavers there may be easier solutions tho.

  6. El ataque de la señora de la limpieza | Bitelia Says:

    [...] este simpático nombre han bautizado los chicos de PING Labs a un ataque que afecta a Ubuntu y Debian –y posiblemente a muchas otras distribuciones de [...]

  7. Birger Says:

    @M: Also the only advantage?

  8. Lars Olav Dybsjord Says:

    M: Remember that it is possible to connect another keyboard to your usb port :)

  9. Ubuntu-News – Your one stop for news about Ubuntu » Blog Archive » Cleaning Lady Attack Possible on Debian and Ubuntu Desktop Says:

    [...] We have recently discovered that possibly all screensavers with lock capabilities are prone to a cleaning lady attack. By issuing Alt+SysRq+f you (or a malicious cleaning lady) can make the OOM killer kill your screensaver process More here [...]

  10. Kertesz Laszlo Says:

    I tried the fix posted here. It did not work. The oom killer still worked. After a reboot, the value was reset to 1.

    Setting it to 0 (echo 0 > /proc/sys/kernel/sysrq) does work. But i think it disables the alt+sysrq combinations altogether.

    The oom killer still works, even it doesnt kill the screensaver first. Pressing repeatedly it will kill the high mem usage processes, eventually might get to the screensaver. Using the blank screensaver the score is very low, so the oom killer kills other stuff first such as browsers etc.

  11. Lars Olav Dybsjord Says:

    @Kertesz Laszlo: Ahh, I now see that I wrote the wrong value. It should be 447 (or 446) instead of 477.
    Also, if you don’t want it be reset at reboot you must modify /etc/sysctl.conf

    See http://www.mjmwired.net/kernel/Documentation/sysrq.txt for more information.