
Every Linux screen locker bypassed with a keypress - Jonhoo
http://seclists.org/oss-sec/2012/q1/200
======
tmhedberg
For Arch Linux users, a patch has already been applied [1] to the xkeyboard-
config package in [extra] this morning which corrects this issue by disabling
the problematic "debug keys" in the X keymap. Update your system and restart
X, and the issue should go away.

[1] [http://mailman.archlinux.org/pipermail/arch-
general/2012-Jan...](http://mailman.archlinux.org/pipermail/arch-
general/2012-January/024297.html)

------
stewbrew
The headline is simply wrong.

"So from a superficial analysis anything since 1.10.99.902 could be
vulnerable."

That's not _every_ linux screen locker. E.g. ubuntu 10.04 isn't affected.

~~~
mindstab
presumably because 10.04 is using an older version, being almost 2 years old
now.

~~~
watty
I think that was his point. "Every windows machine affected" doesn't mean
Windows 7 only.

~~~
sirclueless
I think it's pretty clear: "Every Linux screen locker" means every screen
locking program that runs on linux, not every version of linux.

The bug is in Xorg, if you have any screen-locker running on a version with
the bug, then it can be bypassed.

------
zokier
How did this happen? I mean, I understand the debug key combinations, but how
did they get mapped to actual keys? The commit says _To use these, you need to
modify your XKB maps_.

~~~
sirclueless
The problem is that some versions of linux ship with those modifications in
their default keyboard maps. For example, ArchLinux had them until recently in
their xkeyboard-config package. [http://mailman.archlinux.org/pipermail/arch-
general/2012-Jan...](http://mailman.archlinux.org/pipermail/arch-
general/2012-January/024297.html)

------
utefan001
Here is the commit.
[http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3...](http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1)

~~~
slipperyp
All the cgit.freedesktop.org links in the seclists thread time out for me. Do
they point to the commit or work for others?

~~~
lepht
The offending commit[1] loads fine for me, but I'd rather not call out some
poor OSS contributor by name here.

My question is: what is the actual function/line that causes the screen lock
to die? My C knowledge is close to non-existent, but the ungrab all function
looks a bit suspicious. Some commentary by someone who understands what's
going on here would be appreciated.

[1]:
[http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3...](http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1)

~~~
yew
X11 screen lockers (usually) work by filling the screen and grabbing all
keyboard and mouse input. The UngrabAllDevices function interferes with this
functionality, and optionally kills the "offending" process.

Said functionality is entirely intentional, although presumably the author
didn't consider the implications outside of a debugging context.

------
naner
I don't understand the key presses used. Is the "Multiply" key the asterisk
(Shift+8)?

And also the + key on the numpad works?

I was unable to get slock to crash, using a US laptop keyboard. :/

~~~
ericmoritz
It's the * numpad key, Ctrl-Alt-Shift-8 doesn't work but if my coworker turns
on numlock and does Ctrl-Alt-* with the numpad key the screen lock turns off.

~~~
sagarun
It won't work on laptops (most laptops won't have numpad). Ofcourse you can
crack into the laptop using an external keyboard.

~~~
huhtenberg
Most laptops have the _Fn_ button.

Fn+ScrLk is NumLk, and then Ctrl-Alt-8 (on my Lenovo) is exactly the same as
Ctrl-Alt-Numpad/8 on a regular keyboard.

------
lucian1900
Doesn't appear to work on Ubuntu Oneiric. Perhaps because it's running
LightDM?

~~~
rufugee
I'm on Oneiric running Kubuntu, and it doesn't seem to work with the KDE
screen lock.

~~~
buu700
Yep, also running Kubuntu Oneiric; nothing.

Edit: Actually, wait, I'm still on Natty. Still nothing though.

~~~
Florin_Andrei
Yup, also on 11.04 Natty. Tried with and without Numlock LED turned on,
nothing happened.

------
rbanffy
Since it's been demonstrated not every Linux screen locker is vulnerable, how
about changing the title?

~~~
Jonhoo
Seems like I'm not allowed to change it anymore..?

------
mrinterweb
Just tried it on Ubuntu 11.10. Did not work.

~~~
mrpollo
Same here, 11.10 didn't work

------
cookiecaper
Man, that is pretty crazy. Ctrl+Alt+* and the whole screensaver goes away just
like that and everything on the workstation is accessible. Glad this
vulnerability is getting more attention; I think it's obvious the feature
should only be enabled in debug builds.

~~~
regularfry
It's not yet obvious it was intentional, to my knowledge.

~~~
sirclueless
It's pretty obvious that it wasn't intentional. Or rather, that there was some
miscommunication. Someone added a debugging feature that gets rid of programs
that have grabbed the screen, and which is enabled by mapping some key
combination to a function. They probably realized this was dangerous to enable
generally. Someone else saw the recommended key combination and packaged it
for general distribution, not realizing that it was a dangerous function that
shouldn't be mapped ordinarily.

------
mrb
Of course, if you think you are safe because your keyboard does not have a
numeric keypad: you are not. The attacker can just plug in a USB keyboard with
a numpad and use it. Yay plug-n-play!

------
Dylan16807
While this may be a 'debug' feature it sounds useful for when a fullscreen app
locks up. If not these key combinations, what are you intended to do in such a
situation?

~~~
secure
According to the commit in question
([http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3...](http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1)),
the feature either releases all grabs or kills clients which have any active
grabs.

A regular fullscreen application (such as MPlayer, VLC, Chromium, …) does
_not_ grab the keyboard and/or pointer. However, applications like pinentry-
gtk (for things like entering your GPG passphrase) or screenlockers do grab
the keyboard and pointer.

So, in short: no, this doesn’t seem useful in that case. And what you are
usually intended to do is use the shortcuts of your window manager to kill the
window/application or switch to a different workspace/desktop with a shortcut
and kill the process from there.

~~~
nitrogen
_A regular fullscreen application (such as MPlayer, VLC, Chromium, …) does not
grab the keyboard and/or pointer._

Regular fullscreen _games_ do, however. If there were some way to distinguish
between a lock screen and a game, it would be worthwhile to keep the feature
around.

------
Tinned_Tuna
I attempted to replicate this (attempted being the operative word, I could've
been doing it wrong) with Ubuntu 11.10 and a GB keyboard layout. It didn't
seem to work.

Key combos:

Ctrl+Alt+* (num pad) Ctrl+Alt+Shift+8

Both with numlock on and off.

~~~
jgeralnik
I'm using Ubuntu 11.10 and have X.Org 1.10.4; the vulnerability only exists
from 1.10.99.902

------
Adaptive
I often use physlock from X. It drops you to a virtual console and locks from
there.

<https://github.com/muennich/physlock>

~~~
code_duck
I just log out and hit ctrl-alt-f2... sounds similar?

------
NanoWar
Very interesting. How do you find things like this?

~~~
cbs
Ctrl-Alt-Multiply is a known key shortcut. Someone just has to know it exists
and think "I wonder what happens if I use this while the screen is locked".
You can get to that internal question many different ways, but its worth
mentioning on top of that, security minded have trained their brains to be
good at serendipitously coming up with "what happens if I do X and X"
questions.

------
clebio
For some reason, I read 'Android' when I scanned this headline. But since
Android is a linux variant, would this be possible? My phone doesn't have a
physical keyboard, but maybe the Asus Transformer with the attachable
keyboard, for example?

~~~
simcop2387
No, this is an issue specifically with the way X11 works with the Xorg server.
Android doesn't use X11 so would be unaffected by this particular issue.

~~~
clebio
Good point. Sorry to ignore what was already given in the comments. Thanks,
though.

------
Ubersoldat
Doesn't work in Ubuntu Maverick with X.Org 1.7.5

~~~
jgeralnik
If you look at the linked post, the vulnerability was introduced in
1.10.99.902, any earlier versions of X.Org are not affected.

~~~
machrider
In other words, terrible headline on this post. I imagine Arch and Gentoo are
the most likely to be affected, as they tend to run bleeding edge projects.
Most Linux users are unaffected.

~~~
gnosis
My machine runs Gentoo and it's not affected -- because it runs an older
version of Xorg.

Just because the bleeding edge version of Xorg is available on Gentoo doesn't
mean you're forced to use it. You can always decide not to upgrade and stay
with an old version of anything.

On the other hand, if you stay with old versions too long, things might break
when you finally do try to upgrade.

------
patricklynch
Doesn't appear to work on Linux Mint 11 (katya)

~~~
pcvarmint
Nor on LMDE.

------
zalew
Just tested on Debian sid. Damn, it worked.

~~~
babilen
It shouldn't: <http://security-tracker.debian.org/tracker/CVE-2012-0064>

------
shmerl
Posted workaround doesn't really work.

~~~
cbs
I've did a bit of googling about this and ran across something that might work
(but I haven't tried it), adjust the AllowClosedownGrabs option in your
xorg.conf file.

~~~
shmerl
No, changing that option doesn't really affect anything.

------
literalusername
Never use an X11 screen locker. Use vlock -san. Problem solved, and several
other problems with it.

~~~
Adaptive
I used vlock for a long time but there were some hangups that caused me to
switch to physlock (mentioned above, but here's the URL:
<https://github.com/muennich/physlock> ). It's in Arch's AUR.

~~~
literalusername
I've been very happy with vlock. What hangups did you run into? I admit that
it has required some scripting to avoid launching it twice concurrently (via
xautolock and pm-utils), and to clear its console before locking, but overall
I find it secure, elegant, and worthwhile. What do you prefer about physlock?

~~~
Adaptive
Suspend related problems. There's a thread of similar issues at
<https://bbs.archlinux.org/viewtopic.php?id=110459>

physlock also eliminated some of the scaffolding code to deal with the
multiple launches, etc. It's just a better tool solving the same problem.
Recommended.

~~~
literalusername
Thanks for the recommendation. I'll definitely bear it in mind for future
installs, but since I put the effort into configuring vlock well, I'd like to
live with it for a while more. I'd actually already read that thread when
configuring vlock on my current box, and I do chvt $(cat /tmp/console.pm) on
resume. It's robust when configured well, but I can see the value in a locker
that requires less configuration time.

------
drivebyacct2
Just reminds me of more usability/security concerns in GNOME.

If you have any popup dialog box open anywhere, it completely inhibits the
screensaver. Try it. Open Rhythmbox and open the volume slider and walk away
from your computer. Open Chrome and open the Google Voice popopen box. Your
computer will not go to sleep. Also, it breaks mouse focus and more. The GNOME
developers don't seem to care at all.

~~~
nodata
Please can you post the bugzilla bug number for this?

------
CPlatypus
I tried this on my very recently installed Fedora 16 desktop at home, and it
worked. All of my applications were accessible, alt-tab and other selection
methods worked, etc. The only thing that was missing was the panel at the top,
and I couldn't be bothered figuring out how to bring it back so I just
rebooted. Good thing I don't rely on that feature too much.

