1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

An Easy But Serious Screensaver Security Problem In X.Org

X.Org

Published on 18 January 2012 10:52 PM EST
Written by Michael Larabel in X.Org
24 Comments

I've been alerted this afternoon that there's an outstanding security vulnerability within the current X.Org Server that's receiving little attention. This active vulnerability could allow anyone with physical access to your system to easily bypass the desktop's screen lock regardless of your desktop environment.

A blog post at aeroxteam.fr initially uncovered and detailed this apparent vulnerability. A commit to XKB for X.Org Server 1.11 adds a few debug key actions for grabs and the window tree. One of the four new XKB actions allowed is killing clients with active grabs, which is what most (or perhaps all) desktop environment screensavers rely upon for their screensaver lock -- just ensuring they have the top window and are catching all input events. One of the other four options is unleashing all active grabs. While a debugging feature, both of these are appearing by default in some of the leading Linux distributions.

CTRL+ALT+F10 by default in the xorg-server will now ungrab all currently active grabs and CTRL+ALT+F11 will kill clients with active grabs, if you're running a stock XKB map. (Additionally as part of this commit, CTRL+ALT+F9 will print active grabs to the log file and CTRL+ALT+F12 will dump the current window tree to the log file). Another option is using CTRL+ALT+Keypad-Multiply for this bug. This is on X.Org Server 1.11 and it also is appearing that way in the Git for what will become X.Org Server 1.12 this March. This code was previously in the X.Org Server tree years ago as a debugging utility too, but back then it was disabled by default and only could be enabled if set within the xorg.conf.

As mentioned in the aforelinked blog post by "Gu1", this new debugging functionality isn't clearly documented nor can it even be disabled easily. To disable this screensaver workaround, you must edit the XKB keyboard mapping configuration manually to remove XF86Ungrab and XF86ClearGrab mentions. The commit was authored by Daniel Stone and sent into the xserver Git this past June.

An Easy But Serious Screensaver Security Problem In X.Org
Working on X while drinking Phoronix beer... A bad combination? XDC2011 Chicago.

X.Org Server 1.11+ users are affected, which is currently shipping in Fedora 16, is to be shipping in Ubuntu 12.04 LTS, Debian unstable, Arch Linux, Gentoo, and others. X.Org Server 1.11 was released last September prior to XDC2011 Chicago. GNOME 3.x and KDE 4.x are among the desktop environments affected by this security snafu.

Embedded below is an iPhone video I quickly recorded tonight after carrying out a clean install of Debian "Wheezy" on one of the Phoronix systems. Wheezy is currently using X.Org Server 1.11.1 and tested was the GNOME Shell. No package or configuration changes were made to the Debian Linux installation. After locking the screen of the Debian desktop, it was simply a matter of pressing the CTRL+ALT+Keypad-Multiply combination and you're back at the desktop without inputting any password.


In summary, if your Linux distribution is using X.Org Server 1.11+ -- it's been out there for four months ago while the commit introducing the potential problem has been in Git since last June -- (you can find out by running X -version) and the XKB mapping has the standard debugging features, you may be at risk of your screensaver lock being useless if anyone were to just hit a simple keyboard combination, since then they can be brought to your desktop with full access and no password being needed. This problem wouldn't be limited to Linux but any operating system using the modern (v1.11+) X.Org Server, such as the *BSDs and Solaris.

At least the Wayland Display Server hopes to have a proper screensaver implementation...

Update: This issue is additionally being confirmed now within the forums.

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux Hardware Reviews
  1. 13-Way Low-End GPU Comparison With AMD's AM1 Athlon
  2. ASUS AM1I-A: A Mini-ITX Board For Socketed Kabini APUs
  3. Mini-Box M350: A Simple, Affordable Mini-ITX Case
  4. Overclocking The AMD AM1 Athlon & Sempron APUs
Latest Linux Articles
  1. Ubuntu 12.04.4 vs. 13.10 vs. 14.04 LTS Desktop Benchmarks
  2. AMD OpenCL Performance With AM1 Kabini APUs
  3. A Quick Look At GCC 4.9 vs. LLVM Clang 3.5
  4. Are AMD Athlon/Sempron APUs Fast Enough For Steam On Linux?
Latest Linux News
  1. Getting Hit By The Variable Performance Of The Public Cloud
  2. Git 2.0 Test Releases Begin With Many Changes
  3. Wine 1.7.17 Works On Its Task Scheduler, C Run-Time
  4. The Improv ARM Board Still Isn't Shipping; Riding A Dead Horse?
  5. Debian To Maintain 6.0 Squeeze As An LTS Release
  6. Wasteland 2 Is Finally Released For Linux Gamers
  7. FreeBSD Advances For ARM, Bhyve, Clang
  8. Ubuntu 14.04 LTS "Trusty Tahr" Officially Released
  9. Ubuntu 12.04 LTS vs. 14.04 LTS Server Benchmarks
  10. QEMU 2.0 Released With ARM, x86 Enhancements
  11. Running The Unity 8 Preview Session On Ubuntu 14.04 LTS
  12. R600 Gallium3D Disables LLVM Back-End By Default
Latest Forum Discussions
  1. Suggestions about how to make a Radeon HD 7790 work decently?
  2. The GNOME Foundation Is Running Short On Money
  3. Updated and Optimized Ubuntu Free Graphics Drivers
  4. Radeon 8000M problematic on Linux?
  5. Linux Kernel Developers Fed Up With Ridiculous Bugs In Systemd
  6. After Jack Keane, RuseSoft will briing Ankh 3 to Linux through Desura
  7. Suspected PHP Proxy Issue
  8. Change installation destination from home directory