This article is by
runeb / cF --- runeb@stud.cs.uit.no --- http://www.cs.uit.no/~runeb
for those of us who don't really know so much about the x window, a detailed description can be found
here on Wikipedia
Content
1. Motivation / introduction
2. How open X displays are found
3. The local-host problem
4. Snooping techniques - dumping windows
5. Snooping techniques - reading keyboard
6. Xterm - secure keyboard option
7. Trojan X programs [xlock and xdm]
8. X Security tools - xauth MIT-MAGIC-COOKIE
9. Concluding remarks
1. Motivation / introduction
X windows pose a security risk. Through a network, anyone can connect
to an open X display, read the keyboard, dump the screen and windows
and start applications on the unprotected display. Even if this is a
known fact throughout the computer security world, few attempts on
informing the user community of the security risks involved have been
made. This article deals with some of the aspects of X windows
security. It is in no sense a complete guide to the subject, but
rather an introduction to a not-so-known field of computer
security. Knowledge of the basics of the X windows system is
necessary, I haven't bothered including an introductory section to
explain the fundamentals. I wrote some code during the research for
this article, but none of it is included herein. If the lingual flow
of English seem mayhap strange and erroneous from byte to byte, this
is due to the fact that I'm Scandinavian. Bare with it. :)
2. How open X displays are found
An open X display is in formal terms an X server that has its access
control disabled. Disabling access control is normally done with the
xhost command.
$ xhost +
allows connections from any host. A single host can be allowed
connection with the command
$ xhost + ZZZ.ZZZ.ZZZ.ZZZ
where Z is the IP address or host-name. Access control can be enabled
by issuing an
$ xhost -
command. In this case no host but the local-host can connect to the
display. Period. It is as simple as that - if the display runs in
'xhost -' state, you are safe from programs that scans and attaches to
unprotected X displays. You can check the access control of your
display by simply typing xhost from a shell. Sadly enough, most sites
run their X displays with access control disabled as default. They are
therefore easy prey for the various scanner programs circulating on
the net.
Anyone with a bit of knowledge about Xlib and sockets programming can
write an X scanner in a couple of hours. The task is normally
accomplished by probing the port that is reserved for X windows,
number 6000. If anything is alive at that port, the scanner calls
XOpenDisplay("IP-ADDRESS:0.0") that will return a pointer to the
display structure, if and only if the target display has its access
control disabled. If access control is enabled, XOpenDisplay returns 0
and reports that the display could not be opened.
E.g:
Xlib: connection to "display:0.0" refused by server
Xlib: Client is not authorized to connect to Server
The probing of port 6000 is necessary because of the fact that calling
XOpenDisplay() on a host that runs
iPhone 4S
the iPhone 5