By Bri Hatch.
Summary: Abusing X11 for fun and passwords.
Last time we looked at how you can get access to an X11 server, the desktop
software you are using when you're running graphical environments like
Gnome or KDE. When you have access to the X11 server, you can do
some remarkable things.
As an example, I previously showed you how to open an xterm on the users screen to leave
them a message. Rather than use an xterm, it's much easier to use
xmessage[1], which will pop up a window and can even
have programmable buttons.
So, using xmessage as our target program, let's recap. First, log
into the victim's desktop, become root, and set
up your environment to access his X11 server:
home$ ssh victim_desktop
victim$ sudo /bin/ksh
victim\# XAUTHORITY=/home/fernando/.Xauthority
victim\# export XAUTHORITY
victim\# DISPLAY=:0
victim\# export DISPLAY
At this point, you have access to the server and can do anything, for example
running xmessage:
victim\# xmessage "Hey, Fernando, don't forget to walk the dog."
You won't see anything of course - the window went on Fernando's screen.
Ok, so you can plop up some windows, big deal, right? What fun is that? Here are some other fun things you could do:
xsetbg filename- Don't like the desktop background? Change it easily with
xsetbg. Can have a particularly disastrous effect on a machine at work depending on the content you choose. - xlsclients -l
- Provides you a list of all X11 clients that are running on the machine. The output includes the
window id that you'll need for some commands below.
# xlsclients -l Window 0x180000d: Command: /usr/X11R6/bin/kterm Instance/Class: kterm/KTerm Window 0x1200001: Name: MozillaFirefox-bin Command: /usr/lib/mozilla-firebird/MozillaFirefox-bin Instance/Class: MozillaFirefox-bin/MozillaFirefox-bin Window 0x2d0000d: Name: xine Icon Name: kterm Command: /usr/bin/xine Instance/Class: xine/Xine - xwininfo -id windowid
- Display verbose information about existing window, such as the title name, size, location, etc. This gives
you more information for finding the window you're interested in for any of the other commands below that use
windowids.
- xkill -id windowid
- A quick and efficient way to kill X11 windows. Purely a malicious activity.
- xwd
xwdis an X window dumper - it dumps a screen shot of any window you request, or the whole screen. When used interactively, it will let you move the mouse and click on the window in which you're interested. If you want a specific window, you can specify it withxwd -id windowid, or you can choose the root window withxwd -root. To be surreptitious, you probably want to use-silentas well, to keep it from ringing the bell.So, the following would give you a screen shot of the entire desktop, and convert it to a .png file for viewing on your machine:
# xwd -root -silent - | convert - fernando.png- xev -id windowid
- xev can attach to an existing window and show you all X11 events that occur. Great for seeing in which windows the user is active. Since keypresses are events, you can see everything they type, though it's not the cleanest way, we'll see better options later.
- xkey
- This one is not a part of your standard X11 distribution, however you can easily find the source code via google. Xkey will watch for X11 keyboard events and prints the characters to the screen - a great way for sniffing the keyboard for passwords, as seen here:
# xkey s -la cd <<Shift_R>>~ convert /tmp/rack.jpg network-rack.png scp network-rack.png isp.example.net<<Shift_R>>: d<<Shift_R>>@r<<Shift_L>>Pane<<Shift_L>>T ssh isp.example.net d<<Shift_R>>@r<<Shift_L>>Pane<<Shift_L>>T mutt -a network-rack.pngIn the output above, you get to see in gory detail exactly what the user is typing -- not only do you get to see that the password for the account at isp.example.net is
d@rPaneT,[2] but you can see exactly which shift keys (left or right) were used in the attempt.- x2x
- Using
x2x, you can connect your mouse and keyboard to their display. You can use this to either play games by moving their mouse around, or more maliciously you can use this to send input to their windows.[3] For example, usexevto determine they're not doing anything, and then start typing in their shell. Start up anetcatdaemon in listen mode, connect to their machine on that port and have straight shell access to their account. Anything's possible.- x0rfbserver
- Want full blown access to the X11 server? Run an
x0rfbserveron their display and you can connect to it with a vnc client to have complete control of their desktop. Valid for helping folks out remotely, but deadly when done maliciously.
Hopefully this gives you a good idea why it's so very bad to allow access to your X11 server.
Next time I'll address how you can keep your X11 server safe, and how your X11 server may not be safe even if your desktop is completely locked down; even if no one has access -- much less root access -- to it.
NOTES:
[1] I have slapped myself appropriately for having forgotten the proper tool and announcing my ignorance to the world. Thanks to the dozen people who reminded me what I was looking for, you're clearly on the ball more than I.
[2] You need to ignore the <<Shift_>> entries in the output - you can prevent them from being displayed by editing the xkey.c source code
[3] If you aren't in a window, you can move your mouse (on their screen) around until you are --
you can see which window is active by using xdpyinfo | grep focus.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Bri can be reached at bri@hackinglinuxexposed.com.
Copyright Bri Hatch, 2004
This is the June 08, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Security-request@lists.onsight.com.