Linux XServer Security

[wearetheborg]

Based on the discussion towards the end of
http://www.wilderssecurity.com/showthread.php?t=280685

Quote:

The X server allows an X client to:

* Snoop on the screen by reading its contents.
* Snoop on the keyboard.
* Take control of other X clients by sending them keyboard and mouse events.
* Impersonate other X clients by using their names in window title bars.
* Discover what other X clients are running.
* Steal the input focus.
* Deny service by grabbing the pointer or keyboard or the whole server.
* Deny service by consuming the X server's resources.

From http://plash.beasts.org/wiki/X11Security

Whats a realistic defense strategy?

One thing is to not enter the root password on any desktop application (including xterm).

Suppose I also want to protect the data in my home directory. If I open xterm in the same x-session as say firfox or a compromised pdf, then I am screwed? As the malware can send keystrokes to xterm?

Can javascript anyway screw me? Ie run downloaded malware files?

What is the solution? Run multiple x-servers at the same time (can be done)? Use xserver-less consoles (CTRL+ALT+F2)?

EDIT: See http://www.wilderssecurity.com/showp...1&postcount=21 for how easy it is for keyloggers to work

[chronomatic]

I issued a challenge on the Ubuntu forums for someone to write a userspace keylogger for Linux/Xorg that does not take root access to install itself. A lot of people responded saying how easy it is, yet not one of them provided even a single line of code. I am not saying it cannot be done, but it certainly is not trivial.

[Eice]

Quote:

Originally Posted by chronomatic

I issued a challenge on the Ubuntu forums...

There's your problem right there.

Quick search turned up those:
http://protomind.net/wp/?page_id=27
http://usbngh.delta-xi.net/index.php...rmissions.html
http://lwn.net/Articles/363223/ (also see the comments, especially regarding Ctrl-Alt-Del in Windows)

[wearetheborg]

Quote:

Originally Posted by katio

http://lwn.net/Articles/363223/ (also see the comments, especially regarding Ctrl-Alt-Del in Windows)

That is disturbing....

If I do CTRL+ALT+F2 to get to a console, then the keystrokes cannot be intercepted by the running X-Servers right?

[Ocky]

This discussion is now way out of my realm of Linux knowledge as I am just an average home user, but I have a question.
Some time ago, under the guidance of Mrk., I did a strace diff to see whether the system calls of the keyboard and the Ubuntu onscreen keyboard differ. They do differ, so I am wondering whether using keyboard and onscreen keyboard (onBoard) alternately when entering passwords would provide an extra 'dollop' of security ? Apologies for a novice question.
The thread where I asked about this:- http://www.wilderssecurity.com/showt...ghlight=strace

[Eice]

Quote:

Originally Posted by wearetheborg

That is disturbing....

If I do CTRL+ALT+F2 to get to a console, then the keystrokes cannot be intercepted by the running X-Servers right?

I think now would be a good time to provide a reality check. If your system is clean with no malware active in memory, there's no bogeyman that's going to come out of nowhere and steal all your passwords.

[Mrkvonic]

I don't see a problem with X server doing what it does. It's supposed to do that.
Like saying /var/log/messages logs all kinds of things or something. So what?

Realistic defense strategy against what? Against an OS doing what it is supposed to be doing?

To answer the question of keylogging: it's 4 minutes of work + root access to hook the right /dev. No magic, just geeky but not so difficult code. Nothing special. Someone installs something as root ... boo. Big deal.

Mrk

[wearetheborg]

Quote:

Originally Posted by Mrkvonic

I don't see a problem with X server doing what it does. It's supposed to do that.

Ugh, I dont want an xwindow which is not in focus to capture keystrokes!!!

[wearetheborg]

Quote:

Originally Posted by Eice

I think now would be a good time to provide a reality check. If your system is clean with no malware active in memory, there's no bogeyman that's going to come out of nowhere and steal all your passwords.

Yes, there is on the internet who can visit me on firefox

[Mrkvonic]

wear, it's really not how you imagine it.
Mrk

[Eice]

Quote:

Originally Posted by wearetheborg

Yes, there is on the internet who can visit me on firefox

Would you care to elaborate?

Quote:

Originally Posted by Mrkvonic

To answer the question of keylogging: it's 4 minutes of work + root access to hook the right /dev. No magic, just geeky but not so difficult code. Nothing special. Someone installs something as root ... boo. Big deal.

In this thread we are talking about the possibility to log and send keys WITHOUT root access.

Quote:

I don't see a problem with X server doing what it does.

I do have a problem with that if Xserver really breaks all access and privilege separations. I don't know if it does. From the other thread and my links it looks like that's the case which would probably make this xserver design flaw/vulnerability the most promising vector on a hardened system. Still no big deal?

For example: you have your vulnerable but confined (SELinux, Apparmor, RBAC...) software that processes data that triggers a buffer overflow, the shellcode consists of a simple command that gets sent to all other windows hoping one is a terminal window with root logged in. Do you get root access or not?

I'm eager to know if this would work (and please don't tell me there is no such Linux malware out there - I don't care, I'm purely interested in the abstract question whether this is insecure by design or not).

Quote:

Originally Posted by Eice

Quote:

Would you care to elaborate?

I guess browser/plugin exploits. Pretty common these days (Adobe Flash to name the most notorious).

[wearetheborg]

Quote:

Originally Posted by katio

I guess browser/plugin exploits. Pretty common these days (Adobe Flash to name the most notorious).

Correct you are katio

For those saying there is no such malware currently in existence: Good. But I would like to have a defense strategy in place BEFORE such malware go out in the wild, BEFORE I get hacked.

[zapjb]

Quote:

Originally Posted by chronomatic

I issued a challenge on the Ubuntu forums for someone to write a userspace keylogger for Linux/Xorg that does not take root access to install itself. A lot of people responded saying how easy it is, yet not one of them provided even a single line of code. I am not saying it cannot be done, but it certainly is not trivial.

Quote:

Originally Posted by Eice

There's your problem right there.

Well said.

[chronomatic]

Quote:

Originally Posted by katio

Quick search turned up those:
http://protomind.net/wp/?page_id=27
http://usbngh.delta-xi.net/index.php...rmissions.html
http://lwn.net/Articles/363223/ (also see the comments, especially regarding Ctrl-Alt-Del in Windows)

The first one is for Swedish keyboards, so I don't feel like testing it. The second one is now deleted. And the third link I have seen before. However the author provides no POC, so it's just talk as far as I am concerned.

[linuxforall]

Quote:

Originally Posted by wearetheborg

Correct you are katio

For those saying there is no such malware currently in existence: Good. But I would like to have a defense strategy in place BEFORE such malware go out in the wild, BEFORE I get hacked.

And yet the same browser exploit that bought down Mac and Win couldn't bring down Ubuntu in pwn2own.

[Eice]

Quote:

Originally Posted by katio

For example: you have your vulnerable but confined (SELinux, Apparmor, RBAC...) software that processes data that triggers a buffer overflow, the shellcode consists of a simple command that gets sent to all other windows hoping one is a terminal window with root logged in. Do you get root access or not?

I'm eager to know if this would work (and please don't tell me there is no such Linux malware out there - I don't care, I'm purely interested in the abstract question whether this is insecure by design or not).

TBH, I find you Linux folks to be overly-obsessed with root access. If the claims in the first post are accurate, it sounds like an exploit could do a LOT of damage, with or without root access.

Personally, at this point, I'd be concerned with preventing the exploit from running at all rather than whether it can get root access or not. Chromium and/or NoScript comes to mind.

Quote:

Originally Posted by chronomatic

The first one is for Swedish keyboards, so I don't feel like testing it. The second one is now deleted. And the third link I have seen before. However the author provides no POC, so it's just talk as far as I am concerned.

You "don't feel like" testing it?

No offense, chronomatic, but you seem too be falling into the simple psychological trap of "see no evil, hear no evil". As long as you can find excuses to not acknowledge the existence of an exploit, you hence have nothing to fear from it, regardless of whether it exists or not?

Quote:

Originally Posted by Eice

TBH, I find you Linux folks to be overly-obsessed with root access.

I agree. I only used this root exploit theory to show the severity of the issue (to those who still believe it's all about root access). Any open terminal could of course do a lot of damage (delete, upload personal data, steal cookies, encrypt and demand ransom, there are millions of ways to exploit without root).

Found another one: http://www.stllinux.org/meeting_note...0619/xkey.html
This one has a few issues, I had to add
#include <stdlib.h>
and it doubles all key presses ("ppaasswwoorrdd"), nothing a bit of bash scripting couldn't fix though.
I also tested the first "Swedish" POC, runs without issues. Adapting the code for another keymap is a quick fix, the code is self explanatory for everyone who's ever edited config files.

On ubuntu you need build-essential and libxt-dev to compile them.

Both run without root privileges, obviously.

Next step is to test them with Apparmor and SELinux, any volunteers?

Quote:

Originally Posted by Eice

Personally, at this point, I'd be concerned with preventing the exploit from running at all rather than whether it can get root access or not. Chromium and/or NoScript comes to mind.

That's impossible as long as you process "bytes" from untrusted sources. And with bytes I mean everything that consists of zeros and ones, not just javascript and flash, there've been exploits using png images for example or even malformed TCP/IP packages that exploit your network card. You don't have to attack the browser, any application that opens downloaded files is a possible target.

[chronomatic]

Quote:

Originally Posted by katio

Found another one: http://www.stllinux.org/meeting_note...0619/xkey.html
This one has a few issues, I had to add
#include <stdlib.h>
and it doubles all key presses ("ppaasswwoorrdd"), nothing a bit of bash scripting couldn't fix though.

I got it compiled but it cannot find my display. BTW, it was coded in 1997! I'm surprised it runs at all.

Quote:

I also tested the first "Swedish" POC, runs without issues. Adapting the code for another keymap is a quick fix, the code is self explanatory for everyone who's ever edited config files.

Not compiling here. I have both build-essential and libxt-dev installed.

Quote:

Next step is to test them with Apparmor and SELinux, any volunteers?

I will if I can get either working.

Quote:

That's impossible as long as you process "bytes" from untrusted sources. And with bytes I mean everything that consists of zeros and ones, not just javascript and flash, there've been exploits using png images for example or even malformed TCP/IP packages that exploit your network card. You don't have to attack the browser, any application that opens downloaded files is a possible target.

That's why we have MAC systems like SELinux and AppArmor, etc. They're not perfect, but they can be pretty close.

[wearetheborg]

Quote:

Originally Posted by katio

Found another one: http://www.stllinux.org/meeting_note...0619/xkey.html
This one has a few issues, I had to add
#include <stdlib.h>
and it doubles all key presses ("ppaasswwoorrdd"), nothing a bit of bash scripting couldn't fix though.

Worked for me out of the box (note that it has to be compiled as mentioned in the comments

Code:

gcc -o xkey xkey.c -lX11 -lm

It captures (doubles actually) all keystrokes, passwords and all, no matter the window focus
(Thanks Katio, u da man)
Fortunately, it does not capture keystrokes if I go to the console via CTL+ALT+F2

FML

[chronomatic]

Quote:

Originally Posted by wearetheborg

Worked for me out of the box (note that it has to be compiled as mentioned in the comments

I've got it compiled but it can't find my display. What did you use for your display name?

[wearetheborg]

Quote:

Originally Posted by chronomatic

I've got it compiled but it can't find my display. What did you use for your display name?

nothing....I'm just running it in an xterm window as

Code:

./xkey 

I think the display option is only important if you've got multiple x-servers running.