[ISN] The ease of (ab)using X11, Part 2

InfoSec News isn at c4i.org
Wed Jun 9 06:06:52 EDT 2004 

+------------------------------------------------------------------+
|  Linux Security: Tips, Tricks, and Hackery        08-June-2004   |
|  Published by Onsight, Inc.                             Edition  |
|                                                                  |
|  http://www.hackinglinuxexposed.com/articles/20040608.html       |
+------------------------------------------------------------------+

This issue sponsored by LinuxQuestions.org.

LinuxQuestions.org offers a free, friendly and active Linux Community
with over 85,000 members from newbies to experts. We have forums,
quizzes, reviews, tutorials, links and much more. Many of our forums
are officially recognized, such as Arch, Conectiva, Fedora, Libranet,
Linux From Scratch, Mandrake, Red Hat, Slackware, and VectorLinux. If
you have Linux questions or want to help out the Linux community,
come by http://www.LinuxQuestions.org.

--------------------------------------------------------------------

The ease of (ab)using X11, Part 2
By Brian Hatch

Summary: Abusing X11 for fun and passwords.
                               ------

Last time we looked at how you can get access to an X11 server, the
desktop software you are using when you're running graphical
environments like Gnome or KDE. When you have access to the X11
server, you can do some remarkable things. As an example, I
previously showed you how to open an xterm on the users screen to
leave them a message. Rather than use an xterm, it's much easier to
use xmessage[1], which will pop up a window and can even have
programmable buttons.

So, using xmessage as our target program, let's recap. First, log
into the victim's desktop, become root, and set up your environment
to access his X11 server:

  home$ ssh victim_desktop
  victim$ sudo /bin/ksh

  victim\# XAUTHORITY=/home/fernando/.Xauthority
  victim\# export XAUTHORITY
  victim\# DISPLAY=:0
  victim\# export DISPLAY

At this point, you have access to the server and can do anything, for
example running xmessage:

  victim\# xmessage "Hey, Fernando, don't forget to walk the dog."

You won't see anything of course - the window went on Fernando's
screen.

Ok, so you can plop up some windows, big deal, right? What fun is
that? Here are some other fun things you could do:

xsetbg filename
    Don't like the desktop background? Change it easily with xsetbg.
    Can have a particularly disastrous effect on a machine at work
    depending on the content you choose.

xlsclients -l
    Provides you a list of all X11 clients that are running on the
    machine. The output includes the window id that you'll need for
    some commands below.

      # xlsclients -l
      Window 0x180000d:
        Command:  /usr/X11R6/bin/kterm
        Instance/Class:  kterm/KTerm
      Window 0x1200001:
        Name:  MozillaFirefox-bin
        Command:  /usr/lib/mozilla-firebird/MozillaFirefox-bin
        Instance/Class:  MozillaFirefox-bin/MozillaFirefox-bin
      Window 0x2d0000d:
        Name:  xine
        Icon Name:  kterm
        Command:  /usr/bin/xine
        Instance/Class:  xine/Xine

xwininfo -id windowid
    Display verbose information about existing window, such as the
    title name, size, location, etc. This gives you more information
    for finding the window you're interested in for any of the other
    commands below that use windowids.

xkill -id windowid
    A quick and efficient way to kill X11 windows. Purely a malicious
    activity.

xwd
    xwd is an X window dumper - it dumps a screen shot of any window
    you request, or the whole screen. When used interactively, it
    will let you move the mouse and click on the window in which
    you're interested. If you want a specific window, you can specify
    it with xwd -id windowid, or you can choose the root window with
    xwd -root. To be surreptitious, you probably want to use -silent
    as well, to keep it from ringing the bell.

    So, the following would give you a screen shot of the entire
    desktop, and convert it to a .png file for viewing on your
    machine:

      # xwd -root -silent - | convert - fernando.png

xev -id windowid
    xev can attach to an existing window and show you all X11 events
    that occur. Great for seeing in which windows the user is active.
    Since keypresses are events, you can see everything they type,
    though it's not the cleanest way, we'll see better options later.

xkey
    This one is not a part of your standard X11 distribution, however
    you can easily find the source code via google. Xkey will watch
    for X11 keyboard events and prints the characters to the screen -
    a great way for sniffing the keyboard for passwords, as seen
    here:

      # xkey
      s -la
      cd <<Shift_R>>~
      convert /tmp/rack.jpg network-rack.png
      scp network-rack.png isp.example.net<<Shift_R>>:
      d<<Shift_R>>@r<<Shift_L>>Pane<<Shift_L>>T
      ssh isp.example.net
      d<<Shift_R>>@r<<Shift_L>>Pane<<Shift_L>>T
      mutt -a network-rack.png

    In the output above, you get to see in gory detail exactly what
    the user is typing -- not only do you get to see that the
    password for the account at isp.example.net is d at rPaneT,[2] but
    you can see exactly which shift keys (left or right) were used in
    the attempt.

x2x
    Using x2x, you can connect your mouse and keyboard to their
    display. You can use this to either play games by moving their
    mouse around, or more maliciously you can use this to send input
    to their windows.[3] For example, use xev to determine they're
    not doing anything, and then start typing in their shell. Start
    up a netcat daemon in listen mode, connect to their machine on
    that port and have straight shell access to their account.
    Anything's possible.

x0rfbserver
    Want full blown access to the X11 server? Run an x0rfbserver on
    their display and you can connect to it with a vnc client to have
    complete control of their desktop. Valid for helping folks out
    remotely, but deadly when done maliciously.

Hopefully this gives you a good idea why it's so very bad to allow
access to your X11 server.

Next time I'll address how you can keep your X11 server safe, and how
your X11 server may not be safe even if your desktop is completely
locked down; even if no one has access -- much less root access -- to
it.

NOTES:

[1] I have slapped myself appropriately for having forgotten the
proper tool and announcing my ignorance to the world. Thanks to the
dozen people who reminded me what I was looking for, you're clearly
on the ball more than I.

[2] You need to ignore the <<Shift_>> entries in the output - you can
prevent them from being displayed by editing the xkey.c source code

[3] If you aren't in a window, you can move your mouse (on their
screen) around until you are -- you can see which window is active by
using xdpyinfo | grep focus.

                            -------------
Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
Linux Exposed and Building Linux VPNs. He looks back on his college
days of playing xtank at 3am and wonders "Did anyone steal my
passwords when we all ran 'xhost +' " ? Brian can be reached at
brian at hackinglinuxexposed.com.

--------------------------------------------------------------------
This newsletter is distributed by Onsight, Inc.

The list is managed with MailMan (http://www.list.org). You can
subscribe, unsubscribe, or change your password by visiting
http://lists.onsight.com/ or by sending email to
linux_security-request at lists.onsight.com.

Archives of this and previous newsletters are available at
http://www.hackinglinuxexposed.com/articles/

--------------------------------------------------------------------

Copyright 2004, Brian Hatch.

More information about the ISN mailing list