Friday, October 28, 2011

Crash Course in X Windows Security part 2

 Hello guys...yesterday i started this small piece on window x security...this is the part 2....

5. Snooping techniques - reading keyboard

If you can connect to a display, you can also log and store every
keystroke that passes through the X server. A program circulating the
net, called xkey, does this trick. A kind of higher-level version of
the infamous ttysnoop.c. I wrote my own, who could read the keystrokes
of a specific window ID (not just every keystroke, as my version of
xkey).  The window ID's of a specific root-window, can be acquired
with a call to XQueryTree(), that will return the XWindowAttributes of
every window present. The window manager must be able to control every
window-ID and what keys are pressed down at what time.  By use of the
window-manager functions of Xlib, KeyPress events can be captured, and
KeySyms can be turned into characters by continuous calls to

You can even send KeySym's to a Window. An intruder may therefore not
only snoop on your activity, he can also send keyboard events to
processes, like they were typed on the keyboard.  Reading/writing
keyboard events to an xterm window opens new horizons in process
manipulation from remote. Luckily, xterm has good protection
techniques for prohibiting access to the keyboard events.

6. Xterm - Secure keyboard option

A lot of passwords is typed in an xterm window. It is therefore
crucial that the user has full control over which processes can read
and write to an xterm.  The permission for the X server to send events
to an Xterm window, is set at compile time. The default is false,
meaning that all SendEvent requests from the X server to an xterm
window is discarded. You can overwrite the compile-time setting with a
standard resource definition in the .Xdefaults file:

xterm*allowSendEvents    True

or by selecting Allow Sendevents on the Xterm Main Options
menu. (Accessed by pressing CTRL and the left mouse button But this is
_not_ recommended. Neither by me, nor the man page. ;) Read access is
a different thing.

Xterms mechanism for hindering other X clients to read the keyboard
during entering of sensitive data, passwords etc. is by using the
XGrabKeyboard() call. Only one process can grab the keyboard at any
one time. To activate the Secure Keyboard option, choose the Main
Options menu in your Xterm window (CTRL+Left mouse button) and select
Secure Keyboard.  If the colors of your xterm window inverts, the
keyboard is now Grabbed, and no other X client can read the KeySyms.

The versions of Xterm X11R5 without patch26 also contain a rather
nasty and very well known security hole that enables any user to
become root through clever use of symbolic links to the password
file. The Xterm process need to be setuid for this hole to be
exploitable.  Refer to the Cert Advisory:

...the concluding part of this article is coming soon....

No comments:

Post a Comment