# Serious Screensaver Security Problem In X.Org



## aprincefromqueens (Jan 19, 2012)

Posted by Gu1's Website and posted by Michael Larabel

 - Bypass screensaver/locker program on xorg 1.11 and up
Par Gu1 le 19/01/2012 Ã  01:04 tags: low-tech hack, xorg.

Hi, I recently stumbled upon a funny bug^Wfeature in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...

All these tools work more or less the same way: they create a new fullscreen X window, raise it on top of the window stack and grab all mouse and keyboard events. They can optionally disable tty switching. This can seem secure at first glance but all those programs rely on the X server to have exclusive access to the input events and keep the window on top. Unfortunately Xorg does not always cooperate.

I will try to describe what i understand from the bug but keep in mind I'm no X11 expert.
A few years ago, a special keybinding was introduced to "kill" windows who grabbed mouse/keyboard, (mostly for testing/debug purposes ?). This functionality was disabled by default, well documented in the man page and an API was written for programs to disallow this behavior:

Option "AllowClosedownGrabs" "boolean"
    This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off.
    Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.

This API allowing to disable the keybinding per application was removed in 2008 with the XFree86-Misc extension (commit here and here). Later, the whole AllowClosedownGrabs code was removed (commit) and all reference to it was expunged from the man page (commit). I never knew about those key bindings and I doubt they were widely used anyway.

The functionality seems to have been reintroduced in 2011 (commit here and mailing list message here), but this time it's enabled by default, not clearly documented and not even configurable easily (or maybe i haven't found the right way to do it ?). All distros shipping xorg 1.11 are vulnerable to this....

Quick and dirty fix ? Edit your xkb configuration manually to remove all mentions of XF86Ungrab and XF86ClearGrab. You could also use vlock.


----------



## SirDice (Jan 19, 2012)

If I read everything correctly this problem appears to have been introduced in xorg-server 1.11 which is part of Xorg 7.6. That would mean we FreeBSD users are safe from this as we have Xorg 7.5 and xorg-server 1.7.


----------

