|
|
Subscribe / Log in / New account

X.org screensaver bypass found

[Posted January 19, 2012 by jake]

A debugging feature introduced into the X.org server 1.11 can be used by someone with physical access to the system to bypass the screensaver. First reported by "Gu1" on their blog and on the oss-security mailing list. The key sequence Ctrl-Alt-KeypadMultiply will bypass any screensaver. A workaround has been posted, but one would expect an update from X.org before long.
to post comments

X.org screensaver bypass found

Posted Jan 19, 2012 17:03 UTC (Thu) by Kit (guest, #55925) [Link]

Wow, now that's pretty unsettling.

Simply throwing a window up over the other windows has bothered me for several years (ever since the first time I saw GAIM open a window over a locked screen saver!). It seemed like a hack just to have something (sort of like the login screen on Windows 9x, where clicking 'cancel' would log you in anyways!).

Obviously a determined attacker with physical access will be able to eventually bypass any protection... but one would at least hope that the measures in place would be enough to defeat the casual walker-byer!

Never really worked that well

Posted Jan 19, 2012 17:29 UTC (Thu) by epa (subscriber, #39769) [Link]

The X screen locking has always been a bit flaky. On a heavily loaded machine, it might take several seconds between invoking 'xlock' and the screen becoming locked - the screen is not locked while the fancy graphics are set up.

X.org screensaver bypass found

Posted Jan 19, 2012 17:57 UTC (Thu) by ncm (guest, #165) [Link] (9 responses)

Do people still run screensavers? That's pretty irresponsible. The monitor should be turned off, and most of the box too.

But this is really about automatic time-out screen locking, and authentication. We're still at a very primitive stage there. Arguably the machine should give you library-PC features with no authentication, and then enable more features as it gains confidence that it's really you. Passwords would be just a way to speed that up. To recognize keyboard timing signatures would give enough security, by itself, for almost everything.

X.org screensaver bypass found

Posted Jan 19, 2012 21:29 UTC (Thu) by nteon (subscriber, #53899) [Link] (4 responses)

this affects the 'lock screen' function in gnome-shell on my fedora 16 box, so its not just screensavers

X.org screensaver bypass found

Posted Jan 20, 2012 8:49 UTC (Fri) by rvfh (guest, #31018) [Link] (3 responses)

Does not seem to affect my Kubuntu 11.10 machine... or am I missing something?
Ctrl Alt (keypad)* correct? Does nothing on my locked machine.

X.org screensaver bypass found

Posted Jan 20, 2012 9:19 UTC (Fri) by Pawlerson (guest, #74136) [Link] (2 responses)

According to Phoronix you're safe with the current Kubuntu/Ubuntu. :)

X.org screensaver bypass sponsored by Canonical

Posted Jan 26, 2012 22:06 UTC (Thu) by gvy (guest, #11981) [Link] (1 responses)

Yes, Daniel Stone of Ubuntu took care of screwing up for the others. Thank you, Dan.

X.org screensaver bypass sponsored by Canonical

Posted Jan 26, 2012 22:26 UTC (Thu) by daniels (subscriber, #16193) [Link]

Thanks for the random drive-by abuse, but I haven't been a part of or contributed anything to Ubuntu since I left Canonical over six years ago.

X.org screensaver bypass found

Posted Jan 19, 2012 22:26 UTC (Thu) by Kit (guest, #55925) [Link] (3 responses)

> Do people still run screensavers? That's pretty irresponsible.
> The monitor should be turned off, and most of the box too.

I don't run a screen saver on any machine to 'save the screen' or 'provide pretty pictures when I'm not there'.

On Windows, my screen saver starts up (blank) at the same time as the system is set to shut off the monitor. Attempting to wake up the system after this time results in being presented with the lock screen, which runs in a different desktop context than the desktop itself. I'll suspend the system if I'm going to be away for more than a couple minutes and don't have anything running that'll be aversely affected by being paused (i.e. no active network operations).

On OSX, the situation is largely the same. Lock screen presented upon resume, and set to suspend very aggressively (a suspend/resume cycle is incredibly short).

On Linux, I only use hibernate, because suspend still isn't reliable for me... unfortunately, this takes upwards of 10 minutes to shut the machine down. When it comes back up, it has the screen saver running as a lock screen, to require the user to enter a password before they can actually use the machine. I really hate using the screen saver as the screen "lock", it's very sluggish to start and even worse to bring up the password box (if it's been idle for at least a few minutes, /10 seconds/ to show the box isn't unusual). It's also hard to tell when the resume has finished with the blank screen saver (I can't tell if it's showing the screen saver or if it's still resuming), so I might end up having to actually install and use a screen saver that actually shows something. Certainly the worst of the three for me.

X.org screensaver bypass found

Posted Jan 20, 2012 1:14 UTC (Fri) by nix (subscriber, #2304) [Link] (2 responses)

On Linux, I only use hibernate, because suspend still isn't reliable for me... unfortunately, this takes upwards of 10 minutes to shut the machine down
That sounds like a bug. When you say 'hibernate', do you mean the hibernate script that is part of TuxOnIce? If so, you might want to mention it on one of the tuxonice lists, and see if there's anything that can be done to speed things up. My 12Gb two-disk machine takes under a minute to suspend.

X.org screensaver bypass found

Posted Jan 20, 2012 2:05 UTC (Fri) by Kit (guest, #55925) [Link] (1 responses)

I don't believe I'm using TuxOnIce, it doesn't appear that's what Fedora uses based on a quick search. It spends the time on preallocating space for the image (the exact wording is slightly different)... it would be nice if it at least had some sort of progress indicator. The part where it's actually dumping the memory to disk doesn't take close to as long.

X.org screensaver bypass found

Posted Jan 23, 2012 10:07 UTC (Mon) by sebas (guest, #51660) [Link]

That's actually two issues TuxOnIce solved quite nicely: smarter and faster preparation of the hibernate process, and showing progress while doing it (and also being able to cancel it while it's hibernating).

I haven't tried it in a while though. It used to be very reliable for me, but nowadays, I'm just using S3.

X.org screensaver bypass found

Posted Jan 19, 2012 18:24 UTC (Thu) by prometheanfire (subscriber, #65683) [Link] (1 responses)

Bunch of people use this at work,

Already changed their background and put a new screensaver up (with a custom message). Who said bugs can't be fun :D

X.org screensaver bypass found

Posted Jan 26, 2012 22:13 UTC (Thu) by gvy (guest, #11981) [Link]

This blogpost has some discussion of that kind of fun...

X.org screensaver bypass found

Posted Jan 19, 2012 18:30 UTC (Thu) by mgedmin (subscriber, #34497) [Link] (3 responses)

Hm, I see the XF86ClearGrab binding is active in my 'xkbcomp :0 -' output on Ubuntu 11.10 (both the mapping and the interpret bits), and I can see XF86ClearGrab show up in xev output, but when I press it when the screensaver is active, nothing happens. Huh?

X.org screensaver bypass found

Posted Jan 19, 2012 18:43 UTC (Thu) by zwenna (guest, #64777) [Link] (2 responses)

Ubuntu 11.10 still has xserver 1.10, so is not vulnerable.

X.org screensaver bypass found

Posted Jan 19, 2012 19:36 UTC (Thu) by __alex (guest, #38036) [Link]

Unless like me you use the xorg-edgers ppa in which case you definitely are vulnerable :(

X.org screensaver bypass found

Posted Jan 19, 2012 22:43 UTC (Thu) by mgedmin (subscriber, #34497) [Link]

You mean this version of hw/xfree86/dixmods/xkbPrivate.c doesn't handle Private(type=0x86, data="clsgrab"), so there's no harm of that action existing in my xkb config? Now it makes sense to me.

X.org screensaver bypass found

Posted Jan 19, 2012 18:57 UTC (Thu) by theophrastus (guest, #80847) [Link] (3 responses)

sweet_zombie_jesus! (and here all this time i was typing in my password to get back in like a chump [wink]) can someone explain what proper function this 'feature' was intended to serve ...debugging backdoor? [looks down at keyboard and wonders about all the other possible ctrl-alt-strange_keys]

X.org screensaver bypass found

Posted Jan 19, 2012 19:38 UTC (Thu) by daniels (subscriber, #16193) [Link] (2 responses)

It's meant to be a debugging aid for app and toolkit developers, who need to break stuck grabs from time to time. It wasn't meant to be enabled by default, but that apparently got lost in a miscommunication between myself and the keyboard layout maintainer, and I didn't think to double-check afterwards. Oh well.

http://lists.x.org/archives/xorg-devel/attachments/201201... is the recommended patch.

X.org screensaver bypass found

Posted Jan 20, 2012 0:57 UTC (Fri) by daniels (subscriber, #16193) [Link]

This is now fixed with xkeyboard-config 2.5: http://listserv.bat.ru/xkb/Message/8375.html

X.org screensaver bypass found

Posted Jan 26, 2012 22:19 UTC (Thu) by gvy (guest, #11981) [Link]

You must have had bothered to mark the change clearly in the code commit *you* made -- and must have had communicated that to the others working on it as well.

It's not "oh well". It's why six-month-craze is counterproductive.

#include <stdflame/ubuntu>

*whew*

Posted Jan 19, 2012 20:06 UTC (Thu) by dskoll (subscriber, #1630) [Link] (1 responses)

Running Debian Squeeze and X.Org 1.7.7. Glad not to be on bleeding-edge :)

*whew*

Posted Jan 27, 2012 1:20 UTC (Fri) by etrusco (guest, #4227) [Link]

I wonder who would use a bleeding edge distro while needing a stable system with shared physical access?

X.org screensaver bypass found

Posted Jan 19, 2012 21:00 UTC (Thu) by thyrsus (guest, #21004) [Link] (1 responses)

This is present in Fedora 16. In my experience, after using it once, the screen lock refuses to start again until I log out and back in.

X.org screensaver bypass found

Posted Jan 19, 2012 22:23 UTC (Thu) by pabs (subscriber, #43278) [Link]

Thats because this screen combo appears to kill gnome-screensaver at least. One would hope such screenlockers detect a stuff going away and re-aquire grabs etc.

X.org screensaver bypass found

Posted Jan 20, 2012 3:44 UTC (Fri) by whot (subscriber, #50317) [Link]

fwiw, I've posted a summary of the issue, its history and its effects, here:

http://who-t.blogspot.com/2012/01/xkb-breaking-grabs-cve-...

X.org screensaver bypass found

Posted Jan 20, 2012 12:35 UTC (Fri) by v13 (guest, #42355) [Link] (1 responses)

Quick hack:

xkbcomp :0 - > /tmp/koko.map

vi /tmp/koko.map

... remove the Multiply thingy that causes this ...

xkbcomp /tmp/koko.map :0

X.org screensaver bypass found

Posted Jan 20, 2012 13:41 UTC (Fri) by zzxtty (guest, #45175) [Link]

You want to remove both KPMU and KPDV.

Fedora 16 fix already rushed to stable.

Posted Jan 23, 2012 7:21 UTC (Mon) by gilboa (guest, #23856) [Link]

As the title suggests.
Quick yum update + login/logout is very-much-advised.

- Gilboa


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds