Security issue: Locked computer and Virtualbox

**LordVeovis** · January 16th, 2012

How to reproduce:
Virtualbox running an OS that does not support keyboard and mouse integration that currently has captured the keyboard and mouse. Wait for your time out to have the screen locked.

Effect: You come back into the computer not being prompted for a password and will continue to not be prompted for a password until your focus changes away from Virtualbox, at which point you will immediately be prompted for a password.

This poses HUGE security problems as someone has complete access to your VM without needing to know your user information.

**Dangertux** · January 16th, 2012

I'm not sure how I understand that this is a security issue, if you attempt to do something on the guest system you are not prompted for a password, however if you attempt to move into the host you will be?

You can not expect a desktop environment to protect a virtualized OS, it doesn't work that way.

I might be misunderstanding you though. Also I can't reproduce what you're doing.

**Azdour** · January 16th, 2012

Hi,

I think what the OP is saying and I have seen this too, but rarely in Ubuntu 10.04, is the following:

Lets say the screen-saver is set up to kick in after 20 minutes of inactivity and to lock the machine.

I am running VirtualBox and after 20 minutes of inactivity the screen-saver does not kick in until the VirtualBox window looses focus.

This means the computer never locks and people can use your VirtualBox on your machine. If they try and do anything else with Ubuntu then the screen-saver and lock kicks in. It's as if it had been waiting because it was somehow blocked by an in-focus VirtualBox window (not that I think this is the what the issue is, just coming at it from a developers angle).

That being the case, it has been said on many occassions on this forum that having direct access to a machine is always a security vulnerability.

**Dangertux** · January 16th, 2012

Originally Posted by Azdour

Hi,

I think what the OP is saying and I have seen this too, but rarely in Ubuntu 10.04, is the following:

Lets say the screen-saver is set up to kick in after 20 minutes of inactivity and to lock the machine.

I am running VirtualBox and after 20 minutes of inactivity the screen-saver does not kick in until the VirtualBox window looses focus.

This means the computer never locks and people can use your VirtualBox on your machine. If they try and do anything else with Ubuntu then the screen-saver and lock kicks in. It's as if it had been waiting because it was somehow blocked by an in-focus VirtualBox window (not that I think this is the what the issue is, just coming at it from a developers angle).

That being the case, it has been said on many occassions on this forum that having direct access to a machine is always a security vulnerability.

That makes sense though, if the mouse/keyboard are captured. I don't know. I am not a Ubuntu Developer so I'm not sure if this is "working as intended" or not, I just don't see how else it would work since Vbox captures your mouse/key input.

**Habitual** · January 16th, 2012

Originally Posted by dangertux

...you can not expect a desktop environment to protect a virtualized os, it doesn't work that way.

+1

**CharlesA** · January 16th, 2012

I would think that it would be easier/better to just lock the machine when you walk away. *shrug*

**LordVeovis** · January 16th, 2012

Originally Posted by Dangertux

You can not expect a desktop environment to protect a virtualized OS, it doesn't work that way.

Not expecting a host system to protect the guest, I am expecting the host system that is set to lock the system after a given period of time to actually lock the system.

Originally Posted by Azdour

Hi,

I think what the OP is saying and I have seen this too, but rarely in Ubuntu 10.04, is the following:

Lets say the screen-saver is set up to kick in after 20 minutes of inactivity and to lock the machine.

I am running VirtualBox and after 20 minutes of inactivity the screen-saver does not kick in until the VirtualBox window looses focus.

This means the computer never locks and people can use your VirtualBox on your machine. If they try and do anything else with Ubuntu then the screen-saver and lock kicks in. It's as if it had been waiting because it was somehow blocked by an in-focus VirtualBox window (not that I think this is the what the issue is, just coming at it from a developers angle).

That being the case, it has been said on many occassions on this forum that having direct access to a machine is always a security vulnerability.

Yes that is basically what I am saying. The 'screen saver' (which I have none set, just set to lock the system) DOES kick in, aka screen fades to black as it would when it locks, however you are not prompted for a PW until you lose focus on the VM.

Also on the note of direct access I am fully aware that direct access will bypass 99.9% of security on the system. I have luks encryption on it as well which add least places some barriers in the way. Aside from that there is a significant amount of time involved (in terms of my situation) with getting access to the system. There is a difference in someone coming in the room and moving the mouse and seeing what you are doing and sitting down at the computer with full access trying to get at your data. I am more concerned with the former.

**LordVeovis** · January 16th, 2012

Originally Posted by CharlesA

I would think that it would be easier/better to just lock the machine when you walk away. *shrug*

You are right, it is safer to do so, but not always practical as I then have to leave the guest session to manually lock the system as you cannot lock it while your guest has focus.

**Ms. Daisy** · January 16th, 2012

Why don't you just set the OS inside of the VM to require a password upon wake up? That way everything requires a password no matter where the mouse is captured.

**georgemc** · January 16th, 2012

Not sure if this is a bug or just normal behavior. Ran across this awhile back and dismissed it as a quirk in Gnome2 or X11.

It can be easily reproduced by just clicking on a pull down menu and letting the cursor sit there (see the enclosed picture). This is not just limited to VM s.

The good thing is that when you click the cursor any where else the screen saver and locking mechanism do kick in.

The security exposure would be that the screen remains visible and appears to be unsecured, until someone clicks anywhere else. For example: if you go to the pull down menu to lock the screen and just leave the cursor over “Lock Screen” and OOPS do not click on the item, then this will happen too.

I am using 10.04.3LTS Ubuntu with the standard Gnome2.

Q: Can this be reproduced in the other DE s like KDE, Gnome3, Unity, XFCE?

Interesting

George