A very interesting, and potentially very harmful, vulnerability has been discovered in X.orgs's X Server that allows users to gain access to a locked computer. By pressing the Ctrl key, Alt key and * key simultaneously one can disable a user's screensaver and unlock the computer, a glitch discovered by French blogger "Gu1". The technique has already been verified to work on versions 1.11 and higher of X.org's X Server.
According to Gu1, the vulnerability is caused by something known as the "AllowClosedownGrabs" debug option. If this debug option is activated, pressing that key combination will cause any processes that calculate mouse or keyboard inputs to shut down. In the case of the key inputs above, the computer's screensaver, which usually prevents a locked computer from being accessed, is disabled.
Gu1 also says that this debug option had existed up until 2008, though at that time it was disabled by default and well-documented. It has also been mentioned that the developers explicitly pointed out the potential security problems that may arise when this is used in combination with screensavers. In addition to that, developers were able to use an API to disallow the function for their processes.
The function was re-introduced last year though was enabled by default and was not clearly documented and not easily configurable according to Gu1. Developer at X.org Peter Hutterer stated, "This was caused by a miscommunication within the development team." After the function was re-introduced, developers failed in removing the keyboard combination from the default keymap.
Gu1 also mentioned that any Linux distributions that use version X Server v1.11 are vulnerable and added that he was able to reproduce the problem with Debian and GNOME 3 and even with Arch Linux and GNOME 3 and Slock and Slimlock. It is also reported that KDE can also be unlocked this way.
Source: The H - X.org server allows anyone to unlock computer
According to Gu1, the vulnerability is caused by something known as the "AllowClosedownGrabs" debug option. If this debug option is activated, pressing that key combination will cause any processes that calculate mouse or keyboard inputs to shut down. In the case of the key inputs above, the computer's screensaver, which usually prevents a locked computer from being accessed, is disabled.
Gu1 also says that this debug option had existed up until 2008, though at that time it was disabled by default and well-documented. It has also been mentioned that the developers explicitly pointed out the potential security problems that may arise when this is used in combination with screensavers. In addition to that, developers were able to use an API to disallow the function for their processes.
The function was re-introduced last year though was enabled by default and was not clearly documented and not easily configurable according to Gu1. Developer at X.org Peter Hutterer stated, "This was caused by a miscommunication within the development team." After the function was re-introduced, developers failed in removing the keyboard combination from the default keymap.
Gu1 also mentioned that any Linux distributions that use version X Server v1.11 are vulnerable and added that he was able to reproduce the problem with Debian and GNOME 3 and even with Arch Linux and GNOME 3 and Slock and Slimlock. It is also reported that KDE can also be unlocked this way.
Source: The H - X.org server allows anyone to unlock computer