A Django site Valid XHTML 1.1 Strict Get Firefox

Gu1's Website - Bypass screensaver/locker program on xorg 1.11 and up

Par Gu1 le 19/01/2012 à 01:04 tags: low-tech hack, xorg.

update 20/01/2012 18:45 CET: Peter Hutterer, an X.org developer, posted an interesting article about this.

Hi, I recently stumbled upon a funny bug^Wfeature in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...

All these tools work more or less the same way: they create a new fullscreen X window, raise it on top of the window stack and grab all mouse and keyboard events. They can optionally disable tty switching. This can seem secure at first glance but all those programs rely on the X server to have exclusive access to the input events and keep the window on top. Unfortunately Xorg does not always cooperate.

I will try to describe what i understand from the bug but keep in mind I'm no X11 expert.
A few years ago, a special keybinding was introduced to "kill" windows who grabbed mouse/keyboard, (mostly for testing/debug purposes ?). This functionality was disabled by default, well documented in the man page and an API was written for programs to disallow this behavior:

Option "AllowClosedownGrabs" "boolean"
    This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off.
    Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.

This API allowing to disable the keybinding per application was removed in 2008 with the XFree86-Misc extension (commit here and here). Later, the whole AllowClosedownGrabs code was removed (commit) and all reference to it was expunged from the man page (commit). I never knew about those key bindings and I doubt they were widely used anyway.

The functionality seems to have been reintroduced in 2011 (commit here and mailing list message here), but this time it's enabled by default, not clearly documented and not even configurable easily (or maybe i haven't found the right way to do it ?). All distros shipping xorg 1.11 (e.g. Arch Linux, Debian Wheezy) are vulnerable to this. I can reproduce the bug on Debian(Gnome 3), Arch Linux with gnome 3, slock and slimlock. KDE is also vulnerable according to a friend.

Quick and dirty fix ? Edit your xkb configuration manually to remove all mentions of XF86Ungrab and XF86ClearGrab. You could also use vlock.

Par teach le 19/01/2012 à 06:11

Ca y'est t'as ton cve pour le hes :-]. Nice one
PS: 05:58 < XXXXX> ça marche pas sous windows en tout cas


Par Viliam Pucik le 19/01/2012 à 14:21

Try Alock [https://aur.archlinux.org/packages.php?ID=21382]. It fixed the issue in 2009 [http://code.google.com/p/alock/source/browse/CHANGELOG.txt]


Par Michael Shigorin le 19/01/2012 à 15:53

XF86_Ungrab and XF86_ClearGrab (note the underscore, please fix up) references are in /usr/share/X11/xkb/compat/xfree86 from xkeyboard-config package here in ALT Linux Sisyphus; confirmed on xorg-server-1.11.3, thanks.


Par Anonymous le 19/01/2012 à 23:24

Next time, maybe you should follow good etiquette and report security bugs to developers before disclosing them to the world...


Par Gu1 le 20/01/2012 à 00:00

Anonymous: The only reason I disclosed this bug in the first place is because ZDI wasn't offering enough :)
Who cares about responsible disclosure anyway... Dealing with vendors is a pain.


Par fremdkoerperfalle le 20/01/2012 à 19:53

Hello Gu1

The Ctrl+Alt+Keypad-Division is also possible on my system.

Debian Wheezy

X.Org X Server 1.11.3.901

Best regards!


Par fremdkoerperfalle le 20/01/2012 à 20:52

Hi again!

Sorry, saw the update to late.


Par André Vitor Matos le 20/01/2012 à 22:31

Arch had fixed this: http://projects.archlinux.org/svntogit/packages.git/log/trunk?h=packages/xkeyboard-config


Par NK le 22/02/2012 à 11:35

@Anonymous:

Next time, maybe you should follow good etiquette and give a real nickname/name before criticizing a report which seems to be appreciate:
https://lwn.net/Articles/477062/


Par jazz le 16/07/2012 à 17:54

obviously NOT fixed if its ENABLED by DEFAULT..probably some ape working on X11 in GDM3 that has ISSUES with NX bits and gnome-session3...I noticed this in Fedora when using NSELinux modules.


Nom

Adresse électronique

URL

Commentaire

Si vous saisissez quelque chose dans ce champ, votre commentaire sera considéré comme étant indésirable

captcha Captcha

©opyleft Gu1ll4um3r0m41n, 2008-2010. Contact