X.org vulnerability allows for locked screen to be bypassed by pressing key combination
By on January 19th, 2012

An enterprising user has reported to seclists.org mailing list a very easy way to bypass a screen locked by a user – by merely hitting few keystrokes.

The user, going by pseudonym Gu1, has reported that by pressing Control + Alt + * (the asterisk key on the numpad) instantly kills most lock screen programs including gnome-screensaver, kscreenlocker, slock and slimlock, amongst others. Further discussion on the mailing list confirms the vulnerability and has been given a CVE id of CVE-2012-0064 by the Red Hat security team.

Further digging from the git sources indicates that all X.org server versions upwards of 1.10.99.902 seem to be affected. To test whether or not you’re affected, just lock your screen and press Ctrl + Alt + * (note: you’ll have to hit the * key on the Numeric keypad, not on numbers on top of the QWERTY row.)

If you’re on Ubuntu Oneric Ocelot, i.e, Ubuntu 11.10, then this won’t affect you since Ubuntu 11.10 runs on X.org version 1.10.4.

As a temporary workaround, commenting

interpret XF86_Ungrab {
action = Private(type=0×86, data=”Ungrab”);
};
interpret XF86_ClearGrab {
action = Private(type=0×86, data=”ClsGrb”);
};

lines from your xfree86 file ( typically found in /usr/share/X11/xkb/compat/ directory) and then running

setxkbmap $(setxkbmap -query | grep layout | awk '{print$2}')

should fix this for now.

Tags: ,
Author: Sathya Bhat Google Profile for Sathya Bhat
Sathyajith aka "Sathya" or "cpg" loves working on computers, and actively participates in many online communities. Sathya is a Community Moderator on Super User, a collaboratively maintained Q&A site which is part of the Stack Exchange network. Sathya also contributes to and is a Super Moderator at Chip India Forums. While not writing SQL queries or coding in PL/SQL, Sathya is also a gamer, a Linux enthusiast, and maintains a blog on Linux & OpenSource. You can reach Sathya on twitter.

Sathya Bhat has written and can be contacted at sathya@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN