The French blogger "Gu1" has discovered that versions 1.11 and above of X.org's X Server contain an interesting vulnerability that enables users to gain access to a locked computer. Simultaneously pressing the Ctrl key, the Alt key and the * key on the numeric keyboard disables a user's screensaver and unlocks the computer; we were able to reproduce the problem on a Fedora 16 system that hadn't been updated to include Fedora's recent patch.

According to Gu1, the problem is caused by the "AllowClosedownGrabs" debug option: if it is active, pressing the key combination causes any processes that grab mouse or keyboard inputs to shut down – in this case, the screensaver that usually prevents a locked computer from being accessed.

Gu1 says that the function had existed up to 2008, but at that time it was disabled by default and well-documented. Apparently, the developers even explicitly pointed out the potential security issues that may exist when used in combination with screensavers. Developers were also able to use an API to disallow the function for their processes.

The function was re-introduced last year – "but this time it's enabled by default, not clearly documented and not even configurable easily", noted the blogger. X.org developer Peter Hutterer says that this was caused by a miscommunication within the development team: after the function was re-introduced, the developers failed to remove the keyboard combination from the default keymap.

According to Gu1, all Linux distributions that use version 1.11 of X.Org's X Server are vulnerable and he had managed to reproduce the problem with Debian and GNOME 3, as well as Arch Linux with GNOME 3, Slock and Slimlock. Apparently, KDE can also be unlocked this way.

Phoronix reports that the currently shipping Fedora 16, Debian unstable, Arch Linux and Gentoo distributions are all shipped with the vulnerable version that was released in September 2011. It is also believed that *BSDs and Solaris can also be unlocked using the key combination.

The X version that is being used on a system can be established by entering X -version . Gu1 says that viable workarounds include the manual removal of all mentions of XF86Ungrab and XF86ClearGrab from the xkb configuration file, or using vlock.

(djwm)