Linux XServer Security

Discussion in 'all things UNIX' started by wearetheborg, Aug 30, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Based on the discussion towards the end of
    https://www.wilderssecurity.com/showthread.php?t=280685

    From http://plash.beasts.org/wiki/X11Security

    Whats a realistic defense strategy?

    One thing is to not enter the root password on any desktop application (including xterm).

    Suppose I also want to protect the data in my home directory. If I open xterm in the same x-session as say firfox or a compromised pdf, then I am screwed? As the malware can send keystrokes to xterm?

    Can javascript anyway screw me? Ie run downloaded malware files?

    What is the solution? Run multiple x-servers at the same time (can be done)? Use xserver-less consoles (CTRL+ALT+F2)?

    EDIT: See https://www.wilderssecurity.com/showpost.php?p=1740061&postcount=21 for how easy it is for keyloggers to work :(
     
    Last edited: Sep 1, 2010
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I issued a challenge on the Ubuntu forums for someone to write a userspace keylogger for Linux/Xorg that does not take root access to install itself. A lot of people responded saying how easy it is, yet not one of them provided even a single line of code. I am not saying it cannot be done, but it certainly is not trivial.
     
  3. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    There's your problem right there.
     
  4. katio

    katio Guest

  5. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    That is disturbing....

    If I do CTRL+ALT+F2 to get to a console, then the keystrokes cannot be intercepted by the running X-Servers right?
     
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    This discussion is now way out of my realm of Linux knowledge as I am just an average home user, but I have a question.
    Some time ago, under the guidance of Mrk., I did a strace diff to see whether the system calls of the keyboard and the Ubuntu onscreen keyboard differ. They do differ, so I am wondering whether using keyboard and onscreen keyboard (onBoard) alternately when entering passwords would provide an extra 'dollop' of security ? Apologies for a novice question. :p
    The thread where I asked about this:- https://www.wilderssecurity.com/showthread.php?t=227666&highlight=strace
     
  7. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    I think now would be a good time to provide a reality check. If your system is clean with no malware active in memory, there's no bogeyman that's going to come out of nowhere and steal all your passwords.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    I don't see a problem with X server doing what it does. It's supposed to do that.
    Like saying /var/log/messages logs all kinds of things or something. So what?

    Realistic defense strategy against what? Against an OS doing what it is supposed to be doing?

    To answer the question of keylogging: it's 4 minutes of work + root access to hook the right /dev. No magic, just geeky but not so difficult code. Nothing special. Someone installs something as root ... boo. Big deal.

    Mrk
     
  9. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Ugh, I dont want an xwindow which is not in focus to capture keystrokes!!!
     
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    Yes, there is on the internet who can visit me on firefox :cautious:
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    wear, it's really not how you imagine it.
    Mrk
     
  12. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Would you care to elaborate?
     
  13. katio

    katio Guest

    In this thread we are talking about the possibility to log and send keys WITHOUT root access.
    I do have a problem with that if Xserver really breaks all access and privilege separations. I don't know if it does. From the other thread and my links it looks like that's the case which would probably make this xserver design flaw/vulnerability the most promising vector on a hardened system. Still no big deal?

    For example: you have your vulnerable but confined (SELinux, Apparmor, RBAC...) software that processes data that triggers a buffer overflow, the shellcode consists of a simple command that gets sent to all other windows hoping one is a terminal window with root logged in. Do you get root access or not?

    I'm eager to know if this would work (and please don't tell me there is no such Linux malware out there - I don't care, I'm purely interested in the abstract question whether this is insecure by design or not).
     
  14. katio

    katio Guest

    I guess browser/plugin exploits. Pretty common these days (Adobe Flash to name the most notorious).
     
  15. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Correct you are katio ;)

    For those saying there is no such malware currently in existence: Good. But I would like to have a defense strategy in place BEFORE such malware go out in the wild, BEFORE I get hacked.
     
  16. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    :D Well said.
     
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    The first one is for Swedish keyboards, so I don't feel like testing it. The second one is now deleted. And the third link I have seen before. However the author provides no POC, so it's just talk as far as I am concerned.
     
  18. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    And yet the same browser exploit that bought down Mac and Win couldn't bring down Ubuntu in pwn2own.
     
  19. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    TBH, I find you Linux folks to be overly-obsessed with root access. If the claims in the first post are accurate, it sounds like an exploit could do a LOT of damage, with or without root access.

    Personally, at this point, I'd be concerned with preventing the exploit from running at all rather than whether it can get root access or not. Chromium and/or NoScript comes to mind.

    You "don't feel like" testing it?

    No offense, chronomatic, but you seem too be falling into the simple psychological trap of "see no evil, hear no evil". As long as you can find excuses to not acknowledge the existence of an exploit, you hence have nothing to fear from it, regardless of whether it exists or not?
     
    Last edited: Aug 30, 2010
  20. katio

    katio Guest

    I agree. I only used this root exploit theory to show the severity of the issue (to those who still believe it's all about root access). Any open terminal could of course do a lot of damage (delete, upload personal data, steal cookies, encrypt and demand ransom, there are millions of ways to exploit without root).
     
  21. katio

    katio Guest

    Found another one: http://www.stllinux.org/meeting_notes/1997/0619/xkey.html
    This one has a few issues, I had to add
    #include <stdlib.h>
    and it doubles all key presses ("ppaasswwoorrdd"), nothing a bit of bash scripting couldn't fix though.
    I also tested the first "Swedish" POC, runs without issues. Adapting the code for another keymap is a quick fix, the code is self explanatory for everyone who's ever edited config files.

    On ubuntu you need build-essential and libxt-dev to compile them.

    Both run without root privileges, obviously.

    Next step is to test them with Apparmor and SELinux, any volunteers?

    That's impossible as long as you process "bytes" from untrusted sources. And with bytes I mean everything that consists of zeros and ones, not just javascript and flash, there've been exploits using png images for example or even malformed TCP/IP packages that exploit your network card. You don't have to attack the browser, any application that opens downloaded files is a possible target.
     
    Last edited by a moderator: Aug 31, 2010
  22. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I got it compiled but it cannot find my display. BTW, it was coded in 1997! I'm surprised it runs at all.

    Not compiling here. I have both build-essential and libxt-dev installed.

    I will if I can get either working.

    That's why we have MAC systems like SELinux and AppArmor, etc. They're not perfect, but they can be pretty close.
     
  23. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Worked for me out of the box (note that it has to be compiled as mentioned in the comments
    Code:
    gcc -o xkey xkey.c -lX11 -lm
    
    It captures (doubles actually) all keystrokes, passwords and all, no matter the window focus :(
    (Thanks Katio, u da man)
    Fortunately, it does not capture keystrokes if I go to the console via CTL+ALT+F2

    FML:'(
     
  24. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I've got it compiled but it can't find my display. What did you use for your display name?
     
  25. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    nothing....I'm just running it in an xterm window as
    Code:
    ./xkey 
    I think the display option is only important if you've got multiple x-servers running.
     
Loading...
Thread Status:
Not open for further replies.