Inside: SereneScreen Fan Forum

Inside: SereneScreen Fan Forum (https://www.feldoncentral.com/forums/index.php)
-   Marine Aquarium 3 for Windows (https://www.feldoncentral.com/forums/forumdisplay.php?f=46)
-   -   Security issue (https://www.feldoncentral.com/forums/showthread.php?t=4714)

-=R@y-M@n=- 01-18-2009 02:29 PM

Security issue
 
Hello everybody,

First of all, this is an absolute fantastic screensaver!

But:

there is one major security issue. If the screensaver is active and you'll go to the settings window, pushing the website button wil bring you to......indeed....the serenscreen website.

The big flaw is that after that you'll have unlimited acces to browse to every site you want! Even if quiting the screensaver is protected by entering your password! It is also possible to "browse" to a network share and do nasty stuf if you want to!

I know for sure that there are people (including me) that won't use such a marvelous screensaver if it will leave the backdoor wide open!

I hope Jim will do something about it (before it is released anyway)

Regards,
Remon

Jim Sachs 01-18-2009 06:50 PM

Are you saying that on your system, when Windows launches MA3 as a screensaver, the password box doesn't come up when it shuts down to go online?

-=R@y-M@n=- 01-19-2009 04:08 AM

Jim,

no that is not the problem. The problem is that when the screensaver is running and you will go to the settings screen, pushing the "website" button, will open up your browser to go to the serenescreen website. After that it is easy to browse to other sites or go to network shares by entering an other URL......

Closing the browser will resume the screensaver. When leaving the screensaver it does lock the system (you do need to give a password to unlock Windows).
It must be possible (I guess) to "lock" the browser so it can't go to other sites (disable the URL field or something?).

regards, Remon

Yodelking 01-19-2009 04:46 AM

Remon, it works as it should on my computer, bringing up the password-box when I try to launch the website from within MA.
What operating system do you run?

-=R@y-M@n=- 01-19-2009 06:45 AM

vista on a HP elite book 2730p

default browser is Firefox

jleslie 01-19-2009 07:22 AM

...and you've set the screen-saver as password-protected in the control panel?

-=R@y-M@n=- 01-19-2009 07:44 AM

Yes, but it has nothing to do with leaving the screensaver. that is allright; Windows is locked and you have to provide your password.

The problem is during the screen saving. After going to the settings screen, pussing the "website" button, it is possible to browse wherever you want to browse using the poped up (in my case Firefox) browser.

Dale 01-19-2009 09:08 AM

Quote:

Originally Posted by -=R@y-M@n=- (Post 109374)
Yes, but it has nothing to do with leaving the screensaver. that is allright; Windows is locked and you have to provide your password.

The problem is during the screen saving. After going to the settings screen, pussing the "website" button, it is possible to browse wherever you want to browse using the poped up (in my case Firefox) browser.

Where is the MA3Beta.scr file located? (folder, etc.). Did you "install" it?

Could you please describe, step-by-step, exactly what you are seeing, in detail.

1. How is MA3 getting into "screen saving" - automatically after some time? Or how?

2. During the screen saving, how do you get to the settings screen?

3. From the settings screen, how do you press the "website" button?

4. Exactly what happens next?

I know that seems obvious, but each of the first three things above has several different ways of happening. I'm trying to duplicate what you report, but I can't so far - so I need exact, specific, detailed instructions.

Jim Sachs 01-19-2009 09:25 AM

I don't have a Vista machine that's set up for the Internet, so I'll have to rely on you guys to confirm this. It's possible that Vista is not processing the Close message when the Website button is pushed.

Is anyone else having the problem where MA3 does not close when the Website button is pushed?

Dale 01-19-2009 09:29 AM

Nevermind - I'll leave that set of questions there, but I did manage to duplicate it.

Vista Ultimate 32-bit, SP-1, MA3Beta.scr in \windows\system32\, installed.

Set to be the screensaver, the box for displaying the login screen is checked.

Automatic activation, press space bar, move mouse to website box, left-click. Firefox comes up (oddly, leaving a small gap at the bottom). No request for password, etc.

That's the problem being reported. It's Vista-specific.

Closing Firefox (clicking on X-box in upper right) results in the "Locked" screen with the password box required.

Jim Sachs 01-19-2009 10:02 AM

Wow - looking through the code, I just can't figure out how this is happening. When the Website button is pushed, the whole program gets shut down - the Direct3D object is destroyed, all the 3D objects and textures are destroyed and their memory released, the multimedia timer is shut down, the sound buffers are released. It should be one dead parrot. After all that happens, the variable is checked to see if the user wants to go to the website. There should be no way that the program could come back to life afterward.

-=R@y-M@n=- 01-19-2009 10:11 AM

Dale,

You are absolutely right! The steps you describe are exactly the same as I followed. I couldn't describe it better (no really, I couldn't, English is not my native language ;)).

Thinking top of my head now but isn't it possible to include a small custom made HTML browser inside the screen saver instead of relying on the normal browsers? Something Winamp does when looking up information about artists? I'm no expert but i guess it can be better controlled?!?

Jim Sachs 01-19-2009 11:18 AM

No, that would be a nightmare. I just need to find a way to make sure the program closes.

-=R@y-M@n=- 01-19-2009 11:33 AM

OK, won't argue with the big boss :D

besides, I don't have any programming skills so actually I don't know what I'm talking about.

by "closing the program" you do mean "making sure people can't browse to another site when pushing the website button" or "you should first unlock windows before you can continue"?

edit: looking at Dale's answer above, you do want it to first give the password before continuing to the site.

Jim Sachs 01-19-2009 11:48 AM

The first order of business when the Website button is pushed is to close the program. What happens after that depends on several factors. If MA3 had been in Windowed mode, or had been started by clicking the icon, or it had come up as a screensaver but Password-protect had not been turned on, then a browser window should open. But if MA3 had been started automatically by Windows and Password-protect is on, then the password box should come up before the program exits and starts the browser window.

-=R@y-M@n=- 01-19-2009 12:45 PM

These are the reasons I'm no developer (or ever become one). People should always admire people like Jim.

Anyway it is really fun to watch the development of such a great project That's why I especially registered here to report this "feature".

Jav400 01-19-2009 01:12 PM

Glad to have you as a member, and if no one else has beaten me to it yet:

Welcome to our Forum. :)

Dale 01-19-2009 02:42 PM

Quote:

Originally Posted by Jim Sachs (Post 109379)
Wow - looking through the code, I just can't figure out how this is happening. When the Website button is pushed, the whole program gets shut down - the Direct3D object is destroyed, all the 3D objects and textures are destroyed and their memory released, the multimedia timer is shut down, the sound buffers are released. It should be one dead parrot. After all that happens, the variable is checked to see if the user wants to go to the website. There should be no way that the program could come back to life afterward.

Just in case I wasn't clear - MA3 does **NOT** come back to life. Firefox comes up as a browser window. There is "nothing" underneath that window - if I click on [-] minimize, it minimizes to a small box, with an otherwise-black screen. If I click on "Restore Down" it gets smaller, with an otherwise-black screen.

Clicking on [X] Close brings up the password dialog, with no sign of MA3 running anywhere.

Footnote: I think under some conditions "black screen" might actually be "empty desktop", but that's somewhat immaterial.

Dale 01-19-2009 03:21 PM

Quote:

Originally Posted by Jim Sachs (Post 109386)
The first order of business when the Website button is pushed is to close the program. What happens after that depends on several factors. If MA3 had been in Windowed mode, or had been started by clicking the icon, or it had come up as a screensaver but Password-protect had not been turned on, then a browser window should open. But if MA3 had been started automatically by Windows and Password-protect is on, then the password box should come up before the program exits and starts the browser window.

In Vista-Personalize-Screen Saver, it's "On resume, display logon screen" of course.

Yes, what you said is what *SHOULD* happen (and apparently what does happen in XP). However, on my Vista system, what *DOES* happen (under exactly the conditions you describe, with that box checked) is that the browser comes up. There's not a good way to check, but it's my belief (based on timings) that MA3 closes and then the browser opens. Only after the browser closes, does the login screen (password box) come up.

As partial confirmation - with MA3 running, when I wiggle the "mouse", it is clear that FIRST MA3 closes (displaying a screen without icons), and THEN the login screen comes up.

As a test, with the browser open by pressing "space bar" and then selecting website, I pressed Ctrl-Alt-Del. The login screen came up. Logging in gave the normal desktop with no browser open.

=============
One big exposure with the browser window open, is the "Open File" selection on the file pulldown. That allows access to edit (or delete or add) essentially any file (given Vista protections, etc. etc.)

-=R@y-M@n=- 01-19-2009 03:45 PM

Dale,
I'm really happy about the way you "translate" the problem to understandable English. Reading is easy, writing is a whole other thing for me. I'm sure your effort will help making things more clear for Jim (and anybody else). In other words: thanks!

Jav400,
yes, you've beaten everybody else :cool:
Thanks for a warm welcome.

Jim Sachs 01-19-2009 04:05 PM

OK, the problem must be farther up the chain, then. I was basing my diagnosis on the statement "Closing the browser will resume the screensaver."

According to Dale, that statement is not true, and MA3 really does not resume. There's a section of code I added a couple of months ago in answer to Vista users complaining about all the black-screen flashes as the program is shutting down. My solution was to switch to a window just an instant before exiting. That may be causing problems with the password system in Vista.

rps 01-19-2009 04:19 PM

Quote:

Originally Posted by Jim Sachs (Post 109398)
OK, the problem must be farther up the chain, then. I was basing my diagnosis on the statement "Closing the browser will resume the screensaver."

According to Dale, that statement is not true, and MA3 really does not resume. There's a section of code I added a couple of months ago in answer to Vista users complaining about all the black-screen flashes as the program is shutting down. My solution was to switch to a window just an instant before exiting. That may be causing problems with the password system in Vista.

Actually, I don't think that's the problem at all. This is one heck of a security hole, and to be fair, I think it's as much Microsoft's problem as Jim's. Here's what's happening (as far as I can tell):

When the screensaver is launched with "Display logon screen" checked, Vista launches the program in its own "space" (a secure desktop). The logon prompt won't appear until *all* processes in the secure desktop have closed. On my Vista machine, I clicked the website button; then I "requested" c:\windows\system32\cmd.exe, which I was able to save and then run. From my newly opened command window, I was able launch several other windows applications. I didn't get the logon prompt until every last one of them was closed down.

This link may help explain it a little better:

http://www.eggheadcafe.com/forumarch...st25116607.asp

By comparison, Windows XP closes the secure desktop as soon as the screen saver terminates, and kills any child processes immediately. Clicking on the website button on my XP machine terminates the screensaver gives me the logon prompt, but once I've logged in, I never get my browser with the website. (Lost I believe, in the now dead secure desktop.)

I think the solution for Jim is to hide the website button if the screen saver is running in the secure space. It just shouldn't be allowed when it's running from a "locked" screen saver. (I believe that you can detect this by using the WinAPI function OpenInputDesktop. If OpenInputDesktop fails with the last error of "Access is Denied" (error code 5), then you are in secured mode.

Hope this helps!

~Ralph S.

Edgar 01-19-2009 04:54 PM

I have duplicated the problem and looking for a good solution.
I will let Jim know as soon as I have a good solution. Thanks for all the info. That helped narrow it down.

feldon34 01-19-2009 05:14 PM

It really seems a shame that it falls to Jim to work around all these bugs and design flaws in Vista.

Jim Sachs 01-19-2009 06:00 PM

Thanks, Ralph - that may help.

Dale 01-19-2009 08:26 PM

rps, there's a "downside" to the suggested solution of hiding the website button (under the circumstances).

Some people may believe that MA is only a screensaver, and will therefore (without some complicated instructions) NOT be able to get to the website button.

That's relevant to the update issue.

rps 01-20-2009 10:24 AM

Quote:

Originally Posted by Dale (Post 109410)
rps, there's a "downside" to the suggested solution of hiding the website button (under the circumstances).

Some people may believe that MA is only a screensaver, and will therefore (without some complicated instructions) NOT be able to get to the website button.

That's relevant to the update issue.

Yeah, I thought of that; but the fact is, if the user has configured their system to require a password once the screensaver has kicked in, then [interactive] access to the web is pretty much a non-starter. The way to handle access to the web is to have the MA3 install program add a shortcut to the start menu that takes the user to the website.

Also, I disagree with your assertion that people who think MA is only a screensaver will not be able to get to the website - the website button *would* be available through the screensaver settings dialog.

~Ralph S.

Dale 01-20-2009 11:07 AM

Good discussion points, with advantages and disadvantages. Jim (and perhaps others) will have to sort out the technical underpinnings, benefits, and drawbacks.

And we haven't seen the "MA3 install program" concept yet.

In this case, I'm hoping that a way exists to get the software to work the way it should in Vista (the same as it does in XP). Having different external behavior depending on the OS, isn't a good thing if it can be avoided.

Shinsa 01-21-2009 09:10 AM

Vista 64 also allows bypass from the website button.

The really bad part isn't the internet access, as it is being able to type in "c:\" at that prompt! I haven't looked at everything I can do from there, but I was able to browse to my desktop, and open web-friendly files (.TXT, .PDF, etc..).

I'm wondering if there are other screen savers that allow this?

Shinsa 01-21-2009 09:46 AM

MAT 2.6 does this as well.

I did verify, that you can not browse to other users files. Only the user account that had the SS start.

Jim Sachs 01-21-2009 09:52 AM

And Beta8e still does this?

Dale 01-21-2009 11:10 AM

Quote:

Originally Posted by Jim Sachs (Post 109458)
And Beta8e still does this?

Well, the behavior is somewhat different. Vista Ultimate 32-bit.

Clicking on the Website button, I get a blank desktop and a dialog box that says "There is no file extension in "C:\Program". - with the usual "OK" button to click.

Clicking on that, I get the Password (Vista locked) screen.

So, the security problem seems to be fixed. Now, Edgar needs to get rid of the extraneous dialog box (unless we're doing this for humor).

;)

cjmaddy 01-21-2009 11:29 AM

Has nobody bothered to read Item 4, in my post?
Quote:

4, When I click the 'Website' button, MA3 closes down and I get a 'Windows Script Host' box which states the meaningless error message: - 'There is no file extension in "D:\Program". [OK]'
Are we wasting our time?

Edgar 01-21-2009 11:39 AM

This is still a bug. Hopefully will be fix in the next build.

Jim Sachs 01-21-2009 12:00 PM

Try Beta 8f: http://www.fish-byte.com/MA3Beta.zip

Dale 01-21-2009 12:24 PM

Quote:

Originally Posted by cjmaddy (Post 109467)
Has nobody bothered to read Item 4, in my post?

Are we wasting our time?

I read that post (which was not in this thread), and I was confirming it in this thread. Sorry if that gave offense.

I'm sure the bug will be fixed (or maybe already has been fixed in 8f, which I don't immediately have time to confirm).

cjmaddy 01-21-2009 12:54 PM

Dale, - no offence taken. - My comment was not intended to appear to be directed at you.

Dale 01-21-2009 01:34 PM

Just downloaded 8f. [Note: the .scr file in the .zip has a timestamp earlier than 8e]

Verified that the screen does say Beta8f.

Clicking on the website button now says "Can not find script file "C:\Program Files\SereneScreen\Marine Aquarium 2.6\openserenescreen.js.

Clicking OK then brings up password box.

feldon34 01-21-2009 02:20 PM

Don't be surprised if bug reports in that "READ ME" thread get lost in the shuffle. The thread was never designed for bug reports.

Edgar 01-21-2009 02:36 PM

Dale,
Do you have UAC enabled?
I am curious if it is failing to write a file in the MA26 folder.


All times are GMT -6. The time now is 01:43 AM.

Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.