[arch-general] FS#28008 - Bypass screensaver/locker program on xorg 1.11 and up
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock... Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11... ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux. -- Best regards, Dmitry Korzhevin Tel: +38 (039) 295-0000 Office Phone: +38 (044) 383-14-12 E-mail: dkorzhevin@lsupport.net Jabber ID: dkorzhevin@lsupport.net Skype: dkorzhevin URL: http://lsupport.net Linux Support LLC
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
It works on mine as well. Fully updated. David J. Haines dhaines@gmail.com
On Fri, Jan 20, 2012 at 12:28 AM, David J. Haines <dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
It works on mine as well. Fully updated.
Just to make sure: are you running xkeyboard-config 2.4.1-3?
On Thu, Jan 19, 2012 at 6:30 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:28 AM, David J. Haines <dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
It works on mine as well. Fully updated.
Just to make sure: are you running xkeyboard-config 2.4.1-3?
Yep. David J. Haines dhaines@gmail.com
On Fri, Jan 20, 2012 at 12:32 AM, David J. Haines <dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:30 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:28 AM, David J. Haines <dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
It works on mine as well. Fully updated.
Just to make sure: are you running xkeyboard-config 2.4.1-3?
Yep.
Then please ask for reopening of this report https://bugs.archlinux.org/task/28008 and say that you have xkeyboard-config 2.4.1-3 and "the hack" still works.
On 01/20/2012 01:32 AM, David J. Haines wrote:
On Thu, Jan 19, 2012 at 6:30 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:28 AM, David J. Haines <dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
It works on mine as well. Fully updated.
Just to make sure: are you running xkeyboard-config 2.4.1-3?
Yep.
David J. Haines dhaines@gmail.com
have you restarted X since the update? -- Ionuț
Cannot reproduce, using xkeyboard-config 2.4.1-3, xscreensaver with Xfce 4.8. Looks like the testing version has this patched.
On Fri, Jan 20, 2012 at 12:50 AM, Michael Holmes <holmesmich@gmail.com> wrote:
Cannot reproduce, using xkeyboard-config 2.4.1-3, xscreensaver with Xfce 4.8. Looks like the testing version has this patched.
There's none, the only xkeyboard-config we have in the synced mirrors is already in extra: http://www.archlinux.org/packages/?sort=&q=xkeyboard-config&maintainer=&last_update=&flagged=&limit=50
On Thu, Jan 19, 2012 at 6:38 PM, Ionut Biru <ibiru@archlinux.org> wrote:
On 01/20/2012 01:32 AM, David J. Haines wrote:
On Thu, Jan 19, 2012 at 6:30 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:28 AM, David J. Haines <dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html
It works on mine as well. Fully updated.
Just to make sure: are you running xkeyboard-config 2.4.1-3?
Yep.
David J. Haines dhaines@gmail.com
have you restarted X since the update?
-- Ionuț
I just restarted, and it's exhibiting the same behavior.
On Fri, Jan 20, 2012 at 1:04 AM, David J. Haines <dhaines@gmail.com> wrote:
I just restarted, and it's exhibiting the same behavior.
Do you have a Happy Hacking Keyboard? ;-)
On 01/19/2012 04:07 PM, Karol Blazewicz wrote:
On Fri, Jan 20, 2012 at 1:04 AM, David J. Haines<dhaines@gmail.com> wrote:
I just restarted, and it's exhibiting the same behavior. Do you have a Happy Hacking Keyboard? ;-) Retract my last statement. I do not have the issue still my bad :(
On 01/19/2012 04:04 PM, David J. Haines wrote:
On Thu, Jan 19, 2012 at 6:38 PM, Ionut Biru<ibiru@archlinux.org> wrote:
On 01/20/2012 01:32 AM, David J. Haines wrote:
On Thu, Jan 19, 2012 at 6:30 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:28 AM, David J. Haines<dhaines@gmail.com> wrote:
On Thu, Jan 19, 2012 at 6:26 PM, Karol Blazewicz <karol.blazewicz@gmail.com> wrote:
On Fri, Jan 20, 2012 at 12:23 AM, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote: > ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux. On a fully updated system? http://mailman.archlinux.org/pipermail/arch-general/2012-January/024298.html It works on mine as well. Fully updated. Just to make sure: are you running xkeyboard-config 2.4.1-3? Yep.
David J. Haines dhaines@gmail.com have you restarted X since the update?
-- Ionuț
I just restarted, and it's exhibiting the same behavior. Happens for me as well, fully updated and restarted.
On 20-01-2012 00:08, Don Juan wrote:
I just restarted, and it's exhibiting the same behavior. Happens for me as well, fully updated and restarted.
Works fine here. Fully up-to-date x86_64, radeon driver, xscreensaver, xfce. -- Mauro Santos
On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers. http://seclists.org/oss-sec/2012/q1/217 -- Tavian Barnes
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes
No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout. In playing about, it looks like if your WM (or another program?) grabs the alt key, as does xmonad by default, then the combination won't produce the result. I have Caps Lock send mod4mask (the Windows key), have left Alt send Alt, and right Alt send AltGr. I can kill xscreensaver with Ctrl-Left Alt-Keypad *, but not with Right Alt, which would make sense given the keyboard setup. In the end, though, I think Tavian is right. Before they reintroduced this feature, it was up to applications to disable it themselves, IIRC.
On 20.01.2012 02:18, David J. Haines wrote:
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes
No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout.
Please check if your custom layout contains the string "XF86_ClearGrab" (maybe also without the underscore) and if yes, replace it with "NoSymbol". Don't forget to reload it afterwards. -- Florian Pritz
On Jan 20, 2012 2:10 AM, "Florian Pritz" <bluewind@xinu.at> wrote:
On 20.01.2012 02:18, David J. Haines wrote:
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin@lsupport.net>
a funny bug in the Xorg server that could allow attackers with
wrote: physical
access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more:
http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes
No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout.
Please check if your custom layout contains the string "XF86_ClearGrab" (maybe also without the underscore) and if yes, replace it with "NoSymbol". Don't forget to reload it afterwards.
-- Florian Pritz
I will be sure to do that, but that does seem only to address the symptom and not the underlying sickness. As I intimated earlier, this is most likely an issue for the app (or more precisely screen locking app) writers. Thanks for what looks to be a great intirim solution!
On Fri, Jan 20, 2012 at 7:53 AM, David J. Haines <dhaines@gmail.com> wrote:
On Jan 20, 2012 2:10 AM, "Florian Pritz" <bluewind@xinu.at> wrote:
On 20.01.2012 02:18, David J. Haines wrote:
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more:
http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes
No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout.
Please check if your custom layout contains the string "XF86_ClearGrab" (maybe also without the underscore) and if yes, replace it with "NoSymbol". Don't forget to reload it afterwards.
-- Florian Pritz
I will be sure to do that, but that does seem only to address the symptom and not the underlying sickness. As I intimated earlier, this is most likely an issue for the app (or more precisely screen locking app) writers.
Thanks for what looks to be a great intirim solution!
FYI, this interim solution does work. I'll make sure that xscreensaver upstream knows about this issue. David J. Haines dhaines@gmail.com
El 20/01/12 04:10, Florian Pritz escribió:
On 20.01.2012 02:18, David J. Haines wrote:
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin<dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux. IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout. Please check if your custom layout contains the string "XF86_ClearGrab" (maybe also without the underscore) and if yes, replace it with "NoSymbol". Don't forget to reload it afterwards.
I did that and it solved the problem with the ctrl+atl+* key combo, but I realized that ctrl+atl+/ does the same thing =( I attach my custom xkbcomp file.
On 20.01.2012 18:38, Sébastien le Preste de Vauban wrote:
El 20/01/12 04:10, Florian Pritz escribió:
On 20.01.2012 02:18, David J. Haines wrote:
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin<dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux. IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout. Please check if your custom layout contains the string "XF86_ClearGrab" (maybe also without the underscore) and if yes, replace it with "NoSymbol". Don't forget to reload it afterwards.
I did that and it solved the problem with the ctrl+atl+* key combo, but I realized that ctrl+atl+/ does the same thing =( I attach my custom xkbcomp file.
The 4 debug symbols are: XF86LogGrabInfo, XF86Ungrab, XF86ClearGrab, XF86LogWindowTree Ungrab and ClearGrab can break things, while Log* are pretty harmless. -- Florian Pritz
El 20/01/12 15:07, Florian Pritz escribió:
On 20.01.2012 18:38, Sébastien le Preste de Vauban wrote:
El 20/01/12 04:10, Florian Pritz escribió:
On 20.01.2012 02:18, David J. Haines wrote:
On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes <tavianator@tavianator.com> wrote:
On 19 January 2012 18:23, Dmitry Korzhevin<dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux. IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://seclists.org/oss-sec/2012/q1/217
-- Tavian Barnes No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a custom keyboard layout that allows me to type international letters and switch entirely to a phonetic Cyrillic layout. Please check if your custom layout contains the string "XF86_ClearGrab" (maybe also without the underscore) and if yes, replace it with "NoSymbol". Don't forget to reload it afterwards.
I did that and it solved the problem with the ctrl+atl+* key combo, but I realized that ctrl+atl+/ does the same thing =( I attach my custom xkbcomp file. The 4 debug symbols are: XF86LogGrabInfo, XF86Ungrab, XF86ClearGrab, XF86LogWindowTree
Ungrab and ClearGrab can break things, while Log* are pretty harmless.
Thanks, removing all references to Ungrab and ClearGrab solved the problem.
On 20.01.2012 02:08, Tavian Barnes wrote:
On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin@lsupport.net> wrote:
a funny bug in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
Read more: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-11...
ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
http://cgit.freedesktop.org/xorg/xserver/commit/?id=1a573e402ec112913a404f09... http://cgit.freedesktop.org/xorg/xserver/commit/?id=22e64108ec63ba77779891f8... -- Florian Pritz
Am 20.01.2012 02:08, schrieb Tavian Barnes:
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
This post is horribly wrong. 1) The documentation cited is from Xorg 6.8, which is terribly old. 2) The options cited do not exist anymore. 3) With the removal of the 'misc' extension, the API to disable these features does not exist anymore. Even when the options still existed, the documentation was updated accordingly, see [1]. So, you are wrong, the screen lockers have no way to fight this. Disabling these keys in keymaps is not an interim solution, but the final one. [1] http://cgit.freedesktop.org/xorg/xserver/commit/?id=1a573e402ec112913a404f09...
I stand corrected in my "interim" language. David J. Haines dhaines@gmail.com On Fri, Jan 20, 2012 at 10:56 AM, Thomas Bächler <thomas@archlinux.org> wrote:
Am 20.01.2012 02:08, schrieb Tavian Barnes:
IMO, it's not an X.Org or configuration bug, it's a bug in all the screen lockers.
This post is horribly wrong.
1) The documentation cited is from Xorg 6.8, which is terribly old. 2) The options cited do not exist anymore. 3) With the removal of the 'misc' extension, the API to disable these features does not exist anymore. Even when the options still existed, the documentation was updated accordingly, see [1].
So, you are wrong, the screen lockers have no way to fight this. Disabling these keys in keymaps is not an interim solution, but the final one.
[1] http://cgit.freedesktop.org/xorg/xserver/commit/?id=1a573e402ec112913a404f09...
participants (11)
-
David J. Haines
-
Dmitry Korzhevin
-
Don Juan
-
Florian Pritz
-
Ionut Biru
-
Karol Blazewicz
-
Mauro Santos
-
Michael Holmes
-
Sébastien le Preste de Vauban
-
Tavian Barnes
-
Thomas Bächler