Xorg Screen Locking Vulnerability

January 19, 2012

As reported on seclists, pressing ctrl+alt+* effectively bypasses Xorg’s screen locking mechanism.

This bug was apparently, according to the report, introduced in revision xorg-server-1.10.99.902. This puts the bug being introduced at around the end of June/early August.

I just tried it on Fedora 16 w/XFCE and I was able to bypass the password prompt with no issue. Quite Scary!

If you want to test it, you can lock your screen by using the following command, or letting the screensaver do it automatically:

/usr/bin/xscreensaver-command -display :0.0 -lock

Note that “display” might be different you can do “echo $display” if that doesn’t work.

Then, just press “ctrl+alt+*” to see if you are affected.

A quick fix is listed below and was found here: http://seclists.org/oss-sec/2012/q1/197


vim /usr/share/X11/xkb/compat/xfree86

comment out lines ~44-49 seen below

interpret XF86_Ungrab {
action = Private(type=0x86, data="Ungrab");
};
interpret XF86_ClearGrab {
action = Private(type=0x86, data="ClsGrb");
};

run: setxkbmap $(setxkbmap -query | grep layout | awk '{print
$2}')

It looks like Arch already has a patch for it too.

It is a good assumption that anyone with physical access to a machine can compromise it, but such a blatant bypass of security, without even having to reboot the machine is pretty scary!

UPDATE 01/20/2012: A patch is available for Fedora 16, it was published last night around 10PM.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s