+------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 08-June-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040608.html | +------------------------------------------------------------------+ This issue sponsored by LinuxQuestions.org. LinuxQuestions.org offers a free, friendly and active Linux Community with over 85,000 members from newbies to experts. We have forums, quizzes, reviews, tutorials, links and much more. Many of our forums are officially recognized, such as Arch, Conectiva, Fedora, Libranet, Linux From Scratch, Mandrake, Red Hat, Slackware, and VectorLinux. If you have Linux questions or want to help out the Linux community, come by http://www.LinuxQuestions.org. -------------------------------------------------------------------- The ease of (ab)using X11, Part 2 By Brian Hatch Summary: Abusing X11 for fun and passwords. ------ Last time we looked at how you can get access to an X11 server, the desktop software you are using when you're running graphical environments like Gnome or KDE. When you have access to the X11 server, you can do some remarkable things. As an example, I previously showed you how to open an xterm on the users screen to leave them a message. Rather than use an xterm, it's much easier to use xmessage[1], which will pop up a window and can even have programmable buttons. So, using xmessage as our target program, let's recap. First, log into the victim's desktop, become root, and set up your environment to access his X11 server: home$ ssh victim_desktop victim$ sudo /bin/ksh victim\# XAUTHORITY=/home/fernando/.Xauthority victim\# export XAUTHORITY victim\# DISPLAY=:0 victim\# export DISPLAY At this point, you have access to the server and can do anything, for example running xmessage: victim\# xmessage "Hey, Fernando, don't forget to walk the dog." You won't see anything of course - the window went on Fernando's screen. Ok, so you can plop up some windows, big deal, right? What fun is that? Here are some other fun things you could do: xsetbg filename Don't like the desktop background? Change it easily with xsetbg. Can have a particularly disastrous effect on a machine at work depending on the content you choose. xlsclients -l Provides you a list of all X11 clients that are running on the machine. The output includes the window id that you'll need for some commands below. # xlsclients -l Window 0x180000d: Command: /usr/X11R6/bin/kterm Instance/Class: kterm/KTerm Window 0x1200001: Name: MozillaFirefox-bin Command: /usr/lib/mozilla-firebird/MozillaFirefox-bin Instance/Class: MozillaFirefox-bin/MozillaFirefox-bin Window 0x2d0000d: Name: xine Icon Name: kterm Command: /usr/bin/xine Instance/Class: xine/Xine xwininfo -id windowid Display verbose information about existing window, such as the title name, size, location, etc. This gives you more information for finding the window you're interested in for any of the other commands below that use windowids. xkill -id windowid A quick and efficient way to kill X11 windows. Purely a malicious activity. xwd xwd is an X window dumper - it dumps a screen shot of any window you request, or the whole screen. When used interactively, it will let you move the mouse and click on the window in which you're interested. If you want a specific window, you can specify it with xwd -id windowid, or you can choose the root window with xwd -root. To be surreptitious, you probably want to use -silent as well, to keep it from ringing the bell. So, the following would give you a screen shot of the entire desktop, and convert it to a .png file for viewing on your machine: # xwd -root -silent - | convert - fernando.png xev -id windowid xev can attach to an existing window and show you all X11 events that occur. Great for seeing in which windows the user is active. Since keypresses are events, you can see everything they type, though it's not the cleanest way, we'll see better options later. xkey This one is not a part of your standard X11 distribution, however you can easily find the source code via google. Xkey will watch for X11 keyboard events and prints the characters to the screen - a great way for sniffing the keyboard for passwords, as seen here: # xkey s -la cd <<Shift_R>>~ convert /tmp/rack.jpg network-rack.png scp network-rack.png isp.example.net<<Shift_R>>: d<<Shift_R>>@r<<Shift_L>>Pane<<Shift_L>>T ssh isp.example.net d<<Shift_R>>@r<<Shift_L>>Pane<<Shift_L>>T mutt -a network-rack.png In the output above, you get to see in gory detail exactly what the user is typing -- not only do you get to see that the password for the account at isp.example.net is d@rPaneT,[2] but you can see exactly which shift keys (left or right) were used in the attempt. x2x Using x2x, you can connect your mouse and keyboard to their display. You can use this to either play games by moving their mouse around, or more maliciously you can use this to send input to their windows.[3] For example, use xev to determine they're not doing anything, and then start typing in their shell. Start up a netcat daemon in listen mode, connect to their machine on that port and have straight shell access to their account. Anything's possible. x0rfbserver Want full blown access to the X11 server? Run an x0rfbserver on their display and you can connect to it with a vnc client to have complete control of their desktop. Valid for helping folks out remotely, but deadly when done maliciously. Hopefully this gives you a good idea why it's so very bad to allow access to your X11 server. Next time I'll address how you can keep your X11 server safe, and how your X11 server may not be safe even if your desktop is completely locked down; even if no one has access -- much less root access -- to it. NOTES: [1] I have slapped myself appropriately for having forgotten the proper tool and announcing my ignorance to the world. Thanks to the dozen people who reminded me what I was looking for, you're clearly on the ball more than I. [2] You need to ignore the <<Shift_>> entries in the output - you can prevent them from being displayed by editing the xkey.c source code [3] If you aren't in a window, you can move your mouse (on their screen) around until you are -- you can see which window is active by using xdpyinfo | grep focus. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Brian can be reached at brian@private -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@private Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Wed Jun 09 2004 - 04:51:39 PDT