Lucene search
K

Bypass screensaver/locker program on xorg 1.11

🗓️ 22 Jan 2012 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 24 Views

Bypass screensaver program on Xorg 1.11, physical access exploit

Code

                                                # 直接Bypass你的锁屏
# 建议从XKB配置中删除XF86Ungrab和Xf86ClearGrab

I recently stumbled upon a funny bug^Wfeature in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...

All these tools work more or less the same way: they create a new fullscreen X window, raise it on top of the window stack and grab all mouse and keyboard events. They can optionally disable tty switching. This can seem secure at first glance but all those programs rely on the X server to have exclusive access to the input events and keep the window on top. Unfortunately Xorg does not always cooperate.

I will try to describe what i understand from the bug but keep in mind I'm no X11 expert.
A few years ago, a special keybinding was introduced to "kill" windows who grabbed mouse/keyboard, (mostly for testing/debug purposes ?). This functionality was disabled by default, well documented in the man page and an API was written for programs to disallow this behavior:

Option "AllowClosedownGrabs" "boolean"
    This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off.
    Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.

This API allowing to disable the keybinding per application was removed in 2008 with the XFree86-Misc extension (commit here and here). Later, the whole AllowClosedownGrabs code was removed (commit) and all reference to it was expunged from the man page (commit). I never knew about those key bindings and I doubt they were widely used anyway.

#http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up/
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Jan 2012 00:00Current
7.1High risk
Vulners AI Score7.1
24