Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Screen locking programs on Xorg 1.11
From: Tim Zingelman <tez () netbsd org>
Date: Thu, 19 Jan 2012 17:35:23 -0600

On Thu, Jan 19, 2012 at 1:18 PM, Florian Weimer <fw () deneb enyo de> wrote:
I recently found out that it is possible to kill a screensaver/screen
locker program on the latest version of Xorg (1.11 shipped with
archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.

This used to be, uhm, common knowledge:

| Option "AllowDeactivateGrabs" "boolean"
|     This option enables the use of the Ctrl+Alt+Keypad-Divide key
|     sequence to deactivate any active keyboard and mouse
|     grabs. Default: off.
|
| Option "AllowClosedownGrabs" "boolean"
|     This option enables the use of the Ctrl+Alt+Keypad-Multiply key
|     sequence to kill clients with an active keyboard or mouse grab as
|     well as killing any application that may have locked the server,
|     normally using the XGrabServer(3x) Xlib function. Default: off.
|
|     Note that the options AllowDeactivateGrabs and AllowClosedownGrabs
|     will allow users to remove the grab used by screen saver/locker
|     programs. An API was written to such cases. If you enable this
|     option, make sure your screen saver/locker is updated.

<http://www.x.org/archive/X11R6.8.1/doc/Xorg.1.html>

The API in question appears to be XF86MiscSetGrabKeysState:

<http://cvsweb.xfree86.org/cvsweb/xc/programs/Xserver/hw/xfree86/XF86Config.man?hideattic=0#rev1.6>

Given this additional information isn't this a vulnerability issue in
the various screen lock applications rather than an issue with the
Xorg server?

 - Tim


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]