Linux XServer Security

Based on the discussion towards the end of
https://www.wilderssecurity.com/showthread.php?t=280685

From http://plash.beasts.org/wiki/X11Security

Whats a realistic defense strategy?

One thing is to not enter the root password on any desktop application (including xterm).

Suppose I also want to protect the data in my home directory. If I open xterm in the same x-session as say firfox or a compromised pdf, then I am screwed? As the malware can send keystrokes to xterm?

Can javascript anyway screw me? Ie run downloaded malware files?

What is the solution? Run multiple x-servers at the same time (can be done)? Use xserver-less consoles (CTRL+ALT+F2)?

EDIT: See https://www.wilderssecurity.com/showpost.php?p=1740061&postcount=21 for how easy it is for keyloggers to work

 

I issued a challenge on the Ubuntu forums for someone to write a userspace keylogger for Linux/Xorg that does not take root access to install itself. A lot of people responded saying how easy it is, yet not one of them provided even a single line of code. I am not saying it cannot be done, but it certainly is not trivial.

 

There's your problem right there.

 

Quick search turned up those:
http://protomind.net/wp/?page_id=27
http://usbngh.delta-xi.net/index.php?/archives/21-X11-Keylogger-wo-root-permissions.html
http://lwn.net/Articles/363223/ (also see the comments, especially regarding Ctrl-Alt-Del in Windows)

 

That is disturbing....

If I do CTRL+ALT+F2 to get to a console, then the keystrokes cannot be intercepted by the running X-Servers right?

 

This discussion is now way out of my realm of Linux knowledge as I am just an average home user, but I have a question.
Some time ago, under the guidance of Mrk., I did a strace diff to see whether the system calls of the keyboard and the Ubuntu onscreen keyboard differ. They do differ, so I am wondering whether using keyboard and onscreen keyboard (onBoard) alternately when entering passwords would provide an extra 'dollop' of security ? Apologies for a novice question.
The thread where I asked about this:- https://www.wilderssecurity.com/showthread.php?t=227666&highlight=strace

 

I think now would be a good time to provide a reality check. If your system is clean with no malware active in memory, there's no bogeyman that's going to come out of nowhere and steal all your passwords.

 

I don't see a problem with X server doing what it does. It's supposed to do that.
Like saying /var/log/messages logs all kinds of things or something. So what?

Realistic defense strategy against what? Against an OS doing what it is supposed to be doing?

To answer the question of keylogging: it's 4 minutes of work + root access to hook the right /dev. No magic, just geeky but not so difficult code. Nothing special. Someone installs something as root ... boo. Big deal.

Mrk

 

Ugh, I dont want an xwindow which is not in focus to capture keystrokes!!!

 

Yes, there is on the internet who can visit me on firefox

 

wear, it's really not how you imagine it.
Mrk

 

Would you care to elaborate?

 

In this thread we are talking about the possibility to log and send keys WITHOUT root access.

I do have a problem with that if Xserver really breaks all access and privilege separations. I don't know if it does. From the other thread and my links it looks like that's the case which would probably make this xserver design flaw/vulnerability the most promising vector on a hardened system. Still no big deal?

For example: you have your vulnerable but confined (SELinux, Apparmor, RBAC...) software that processes data that triggers a buffer overflow, the shellcode consists of a simple command that gets sent to all other windows hoping one is a terminal window with root logged in. Do you get root access or not?

I'm eager to know if this would work (and please don't tell me there is no such Linux malware out there - I don't care, I'm purely interested in the abstract question whether this is insecure by design or not).

 

I guess browser/plugin exploits. Pretty common these days (Adobe Flash to name the most notorious).

 

Correct you are katio

For those saying there is no such malware currently in existence: Good. But I would like to have a defense strategy in place BEFORE such malware go out in the wild, BEFORE I get hacked.

 

Well said.

 

The first one is for Swedish keyboards, so I don't feel like testing it. The second one is now deleted. And the third link I have seen before. However the author provides no POC, so it's just talk as far as I am concerned.

 

And yet the same browser exploit that bought down Mac and Win couldn't bring down Ubuntu in pwn2own.

 

TBH, I find you Linux folks to be overly-obsessed with root access. If the claims in the first post are accurate, it sounds like an exploit could do a LOT of damage, with or without root access.

Personally, at this point, I'd be concerned with preventing the exploit from running at all rather than whether it can get root access or not. Chromium and/or NoScript comes to mind.

You "don't feel like" testing it?

No offense, chronomatic, but you seem too be falling into the simple psychological trap of "see no evil, hear no evil". As long as you can find excuses to not acknowledge the existence of an exploit, you hence have nothing to fear from it, regardless of whether it exists or not?

 

I agree. I only used this root exploit theory to show the severity of the issue (to those who still believe it's all about root access). Any open terminal could of course do a lot of damage (delete, upload personal data, steal cookies, encrypt and demand ransom, there are millions of ways to exploit without root).

 

Found another one: http://www.stllinux.org/meeting_notes/1997/0619/xkey.html
This one has a few issues, I had to add
#include <stdlib.h>
and it doubles all key presses ("ppaasswwoorrdd"), nothing a bit of bash scripting couldn't fix though.
I also tested the first "Swedish" POC, runs without issues. Adapting the code for another keymap is a quick fix, the code is self explanatory for everyone who's ever edited config files.

On ubuntu you need build-essential and libxt-dev to compile them.

Both run without root privileges, obviously.

Next step is to test them with Apparmor and SELinux, any volunteers?

That's impossible as long as you process "bytes" from untrusted sources. And with bytes I mean everything that consists of zeros and ones, not just javascript and flash, there've been exploits using png images for example or even malformed TCP/IP packages that exploit your network card. You don't have to attack the browser, any application that opens downloaded files is a possible target.

 

I got it compiled but it cannot find my display. BTW, it was coded in 1997! I'm surprised it runs at all.

Not compiling here. I have both build-essential and libxt-dev installed.

I will if I can get either working.

That's why we have MAC systems like SELinux and AppArmor, etc. They're not perfect, but they can be pretty close.

 

Worked for me out of the box (note that it has to be compiled as mentioned in the comments

Code:

gcc -o xkey xkey.c -lX11 -lm

It captures (doubles actually) all keystrokes, passwords and all, no matter the window focus
(Thanks Katio, u da man)
Fortunately, it does not capture keystrokes if I go to the console via CTL+ALT+F2

FML

 

I've got it compiled but it can't find my display. What did you use for your display name?

 

nothing....I'm just running it in an xterm window as

Code:

./xkey 

I think the display option is only important if you've got multiple x-servers running.