[ISN] The ease of (ab)using X11, Part 2

From: InfoSec News (isn@private)
Date: Wed Jun 09 2004 - 03:06:52 PDT

  • Next message: InfoSec News: "Re: [ISN] Security Expected To Take A Larger Bite Out Of IT Budgets"

    |  Linux Security: Tips, Tricks, and Hackery        08-June-2004   |
    |  Published by Onsight, Inc.                             Edition  |
    |                                                                  |
    |  http://www.hackinglinuxexposed.com/articles/20040608.html       |
    This issue sponsored by LinuxQuestions.org.
    LinuxQuestions.org offers a free, friendly and active Linux Community
    with over 85,000 members from newbies to experts. We have forums,
    quizzes, reviews, tutorials, links and much more. Many of our forums
    are officially recognized, such as Arch, Conectiva, Fedora, Libranet,
    Linux From Scratch, Mandrake, Red Hat, Slackware, and VectorLinux. If
    you have Linux questions or want to help out the Linux community,
    come by http://www.LinuxQuestions.org.
    The ease of (ab)using X11, Part 2
    By Brian Hatch
    Summary: Abusing X11 for fun and passwords.
    Last time we looked at how you can get access to an X11 server, the
    desktop software you are using when you're running graphical
    environments like Gnome or KDE. When you have access to the X11
    server, you can do some remarkable things. As an example, I
    previously showed you how to open an xterm on the users screen to
    leave them a message. Rather than use an xterm, it's much easier to
    use xmessage[1], which will pop up a window and can even have
    programmable buttons.
    So, using xmessage as our target program, let's recap. First, log
    into the victim's desktop, become root, and set up your environment
    to access his X11 server:
      home$ ssh victim_desktop
      victim$ sudo /bin/ksh
      victim\# XAUTHORITY=/home/fernando/.Xauthority
      victim\# export XAUTHORITY
      victim\# DISPLAY=:0
      victim\# export DISPLAY
    At this point, you have access to the server and can do anything, for
    example running xmessage:
      victim\# xmessage "Hey, Fernando, don't forget to walk the dog."
    You won't see anything of course - the window went on Fernando's
    Ok, so you can plop up some windows, big deal, right? What fun is
    that? Here are some other fun things you could do:
    xsetbg filename
        Don't like the desktop background? Change it easily with xsetbg.
        Can have a particularly disastrous effect on a machine at work
        depending on the content you choose.
    xlsclients -l
        Provides you a list of all X11 clients that are running on the
        machine. The output includes the window id that you'll need for
        some commands below.
          # xlsclients -l
          Window 0x180000d:
            Command:  /usr/X11R6/bin/kterm
            Instance/Class:  kterm/KTerm
          Window 0x1200001:
            Name:  MozillaFirefox-bin
            Command:  /usr/lib/mozilla-firebird/MozillaFirefox-bin
            Instance/Class:  MozillaFirefox-bin/MozillaFirefox-bin
          Window 0x2d0000d:
            Name:  xine
            Icon Name:  kterm
            Command:  /usr/bin/xine
            Instance/Class:  xine/Xine
    xwininfo -id windowid
        Display verbose information about existing window, such as the
        title name, size, location, etc. This gives you more information
        for finding the window you're interested in for any of the other
        commands below that use windowids.
    xkill -id windowid
        A quick and efficient way to kill X11 windows. Purely a malicious
        xwd is an X window dumper - it dumps a screen shot of any window
        you request, or the whole screen. When used interactively, it
        will let you move the mouse and click on the window in which
        you're interested. If you want a specific window, you can specify
        it with xwd -id windowid, or you can choose the root window with
        xwd -root. To be surreptitious, you probably want to use -silent
        as well, to keep it from ringing the bell.
        So, the following would give you a screen shot of the entire
        desktop, and convert it to a .png file for viewing on your
          # xwd -root -silent - | convert - fernando.png
    xev -id windowid
        xev can attach to an existing window and show you all X11 events
        that occur. Great for seeing in which windows the user is active.
        Since keypresses are events, you can see everything they type,
        though it's not the cleanest way, we'll see better options later.
        This one is not a part of your standard X11 distribution, however
        you can easily find the source code via google. Xkey will watch
        for X11 keyboard events and prints the characters to the screen -
        a great way for sniffing the keyboard for passwords, as seen
          # xkey
          s -la
          cd <<Shift_R>>~
          convert /tmp/rack.jpg network-rack.png
          scp network-rack.png isp.example.net<<Shift_R>>:
          ssh isp.example.net
          mutt -a network-rack.png
        In the output above, you get to see in gory detail exactly what
        the user is typing -- not only do you get to see that the
        password for the account at isp.example.net is d@rPaneT,[2] but
        you can see exactly which shift keys (left or right) were used in
        the attempt.
        Using x2x, you can connect your mouse and keyboard to their
        display. You can use this to either play games by moving their
        mouse around, or more maliciously you can use this to send input
        to their windows.[3] For example, use xev to determine they're
        not doing anything, and then start typing in their shell. Start
        up a netcat daemon in listen mode, connect to their machine on
        that port and have straight shell access to their account.
        Anything's possible.
        Want full blown access to the X11 server? Run an x0rfbserver on
        their display and you can connect to it with a vnc client to have
        complete control of their desktop. Valid for helping folks out
        remotely, but deadly when done maliciously.
    Hopefully this gives you a good idea why it's so very bad to allow
    access to your X11 server.
    Next time I'll address how you can keep your X11 server safe, and how
    your X11 server may not be safe even if your desktop is completely
    locked down; even if no one has access -- much less root access -- to
    [1] I have slapped myself appropriately for having forgotten the
    proper tool and announcing my ignorance to the world. Thanks to the
    dozen people who reminded me what I was looking for, you're clearly
    on the ball more than I.
    [2] You need to ignore the <<Shift_>> entries in the output - you can
    prevent them from being displayed by editing the xkey.c source code
    [3] If you aren't in a window, you can move your mouse (on their
    screen) around until you are -- you can see which window is active by
    using xdpyinfo | grep focus.
    Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
    Linux Exposed and Building Linux VPNs. He looks back on his college
    days of playing xtank at 3am and wonders "Did anyone steal my
    passwords when we all ran 'xhost +' " ? Brian can be reached at
    This newsletter is distributed by Onsight, Inc.
    The list is managed with MailMan (http://www.list.org). You can
    subscribe, unsubscribe, or change your password by visiting
    http://lists.onsight.com/ or by sending email to
    Archives of this and previous newsletters are available at
    Copyright 2004, Brian Hatch.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Wed Jun 09 2004 - 04:51:39 PDT