Keylogging on Linux as a limited user

A server wouldn't be relevant in this situation as it would (likely) not have a GUI.

And like I said in the first post Wayland solves this keylogging issue.

I don't think it can be dismissed just because no one's posted exploit code that specifically does this. It's hardly surprising as servers are the typical targets and this doesn't apply to those.

It can still easily affect a user, which the demostration shows.

 

Yes. Please. https://www.wilderssecurity.com/showthread.php?p=2069525#post2069525

 

Doesn't work here. After entering xinput test ID and entering something in Firefox or kate, nothing is shown in the terminal.

 

Which ID did you enter?

Code:

xinput list
⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer              	id=4	[slave  pointer  (2)]
⎜   ↳ Dell Dell USB Optical Mouse             	id=11	[slave  pointer  (2)]
⎜   ↳ PS/2 Mouse                              	id=13	[slave  pointer  (2)]
⎜   ↳ AlpsPS/2 ALPS GlidePoint                	id=14	[slave  pointer  (2)]
⎣ Virtual core keyboard                   	id=3	[master keyboard (2)]
    ↳ Virtual core XTEST keyboard             	id=5	[slave  keyboard (3)]
    ↳ Video Bus                               	id=6	[slave  keyboard (3)]
    ↳ Power Button                            	id=7	[slave  keyboard (3)]
    ↳ Sleep Button                            	id=8	[slave  keyboard (3)]
    ↳ HID 413c:8161                           	id=9	[slave  keyboard (3)]
    ↳ Integrated_Webcam_1.3M                  	id=10	[slave  keyboard (3)]
    ↳ AT Translated Set 2 keyboard            	id=12	[slave  keyboard (3)]
    ↳ Dell WMI hotkeys                        	id=15	[slave  keyboard (3)]

I entered "12" and see input when I type stuff into geany or into Firefox while typing this reply, for example..

 

And even with Chrome. My Chrome isn't AppArmored while Firefox is.

 

Ah, sorry, I had used the wrong ID Now it works.

 

Since I think this topic deserves resuscitation, here's some sample strace output from 'xinput test':

Code:

poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O<\22\0\377&F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   60 \n", 16key press   60 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P<\22\0\202'F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 60 \n", 16key release 60 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O6\22\0\205'F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   54 \n", 16key press   54 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P6\22\0\321'F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 54 \n", 16key release 54 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O4\22\0\357'F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   52 \n", 16key press   52 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P4\22\0s(F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 52 \n", 16key release 52 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O$\22\0\256(F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   36 \n", 16key press   36 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P$\22\0\r)F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 36 \n", 16key release 36 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O@\22\0y*F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   64 \n", 16key press   64 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O\27\22\0\323*F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\10\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   23 \n", 16key press   23 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P\27\22\0{+F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\10\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 23 \n", 16key release 23 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P@\22\0009-F\0\252\0\0\0\252\0\0\0\332\6\304\0\321\3f\1\321\3f\1\10\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 64 \n", 16key release 64 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O@\22\0\374bF\0\252\0\0\0\252\0\0\0\332\6\304\0F\1m\1F\1m\1\0\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   64 \n", 16key press   64 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "O\27\22\0\211cF\0\252\0\0\0\252\0\0\0\332\6\304\0F\1m\1F\1m\1\10\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key press   23 \n", 16key press   23 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P\27\22\0YdF\0\252\0\0\0\252\0\0\0\332\6\304\0F\1m\1F\1m\1\10\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 23 \n", 16key release 23 
)       = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
recv(3, "P@\22\0\326dF\0\252\0\0\0\252\0\0\0\332\6\304\0F\1m\1F\1m\1\10\0\1\r", 4096, 0) = 32
recv(3, 0x8efeae0, 4096, 0)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "key release 64 \n", 16key release 64 
)       = 16

What do you guys make of it?

 

Without telling us what fd=3 is, it's hard to tell.
However, nothing interesting there. You need more than just system calls.
Mrk

 

Not sure what fd=3 is. How would I get "more than just system calls"?

 

Other tools. File descriptor 3, could be a local file, could be a socket.
There's ltrace, netstat, there's gdb, a whole lot.
But no point doing that if you don't understand the output.
Just enjoy yourself!
Dedoimedo

 

To answer your question from the now-closed topic, it's just as easy as sniffing. The massive issue here being that any program with X access can interact with terminals open on the system etc.

Let's say I have Program A and I block its access to open /path/to/file.txt.

I then open up a terminal.

Program A can use X to type into that terminal "/path/to/file.txt" and voila.

 

Okay, resurrecting this because I'm interested in the keystroke injection thing. How easy would that be to accomplish? And wouldn't it effectively nullify DAC and MAC restrictions, in the same way as a shatter attack on Windows NT?

 

Yes, it does. Sort of.

If you're an attacker and the user has a terminal open you can basically do anything that a regular user can do via their shell. Of course, the user would see you typing and all that but that doesn't seem hard to get around.

And if the user doesn't happen to have a terminal open you can do less - you could type in a URL or whatever but it's really unpredictable, which is why an attack like this is unlikely although obviously very possible.

 

If you knew what you were doing you could probably fuzz some applications, I would think.

But wow. That's pretty bad. I think I understand now what Rutkowska & company are talking about when they say that no current desktop OS is "reasonably secure."

 

To be honest it's the biggest issue I see with Linux security and pretty much the only one that can't be solved in any simple way (like ~Phrase removed~ ASLR just means you take a few minutes to recompile the kernel with PaX, or set up Apparmor, etc).

 

Posts moved to a separate thread
https://www.wilderssecurity.com/showthread.php?t=335299

 

BTW, another thought: could Javascript executed in a browser be used to capture keystrokes? Or would the JS sandbox in most browsers not permit that?

 

Only within the same [browser] process [for a correctly working browser].

Cheer, Nick

 

That at least is good to know... Thanks.

 

Something like this?

http://www.youtube.com/watch?v=Y1fZAZTwyPQ

 

Exactly like that. And for once, good on Microsoft for actually doing things right out of the box!

 

Well, almost right. Better than Linux but that part 2 demo shows that a keylogger running with standard rights can still intercept keystrokes from an application (in this case a browser) running with the same standard rights, since the integrity levels are the same. This is probably where the most damage will occur because banking, Paypal and other highly sensitive online-applied credentials can be stolen.

I think what it really comes down to is don't install keyloggers in the first place. On a side note this is why I'm a fan of outbound application firewall restrictions.

 

Linux = locally induced, running the keylogger script locally, so ?

 

So a browser exploit (or IM, or whatever) could install it, just like in Windows. The only reason you haven't seen it happen is the limited user base.

 

But isn't the server space thats dominated by Linux more prone to hack attacks so in a sense, the limited user base theory doesn't apply really.