Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Screen locking programs on Xorg 1.11
From: Sebastian Pipping <sebastian () pipping org>
Date: Thu, 19 Jan 2012 08:45:51 +0100

On 01/19/2012 01:03 AM, Gu1 wrote:
Hi,
I recently found out that it is possible to kill a screensaver/screen
locker program on the latest version of Xorg (1.11 shipped with
archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.

I was able to reproduce it with Xorg 1.11.3 on Gentoo.
It didn't work for multiply from shift+plus (German keyboard layout) but
the keypad's plus (involving Num lock) did bypass the password dialog.
Scary!


This behavior seems to have been introduced in a recent commit[1] and i
couldn't find a way to disable it.

All screen locking programs i tested (gnome-screensaver, kscreenlocker,
slock, slimlock...), are basically rendered useless.

Thanks for not keeping this to yourself.  I'm really glad to know.


[1]:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1

I found the commit on branch master, see here:

  http://cgit.freedesktop.org/xorg/xserver/log/?ofs=650

The first tag coming later in time seems to be xorg-server-1.10.99.902
on page before:

  http://cgit.freedesktop.org/xorg/xserver/log/?ofs=600

I looked for function PrintDeviceGrabInfo introduced by the commit you
pointed to:

  # grep -Rl '^PrintDeviceGrabInfo' \
        xorg-server-1.10.3.901 \
        xorg-server-1.10.99.902 \
        xorg-server-1.11.3
  xorg-server-1.10.99.902/dix/grabs.c
  xorg-server-1.11.3/dix/grabs.c

So from a superficial analysis anything since 1.10.99.902 could be
vulnerable.

Best,



Sebastian


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault