X-Windows Security 1. Motivation / introduction 2. How open X displays are found 3. The local-host problem 4. Snooping techniques - dumping windows 5. Snooping techniques - reading keyboard 6. Xterm - secure keyboard option 7. Trojan X programs [xlock and xdm] 8. X Security tools - xauth MIT-MAGIC-COOKIE 9. Concluding remarks -------- ----- ------ -------- ----- ------ --------- 1. Motivation / introduction X windows pose a security risk. Through a network, anyone can connect to an open X display, read the keyboard, dump the screen and windows and start applications on the unprotected display. Even 14514h722o if this is a known fact throughout the computer security world, few attempts on informing the user community of the security risks involved have been made. This article deals with some of the aspects of X windows security. It is in no sense a complete guide to the subject, but rather an introduction to a not-so-known field of computer security. Knowledge of the basics of the X windows system is necessary, I haven't bothered including an introductory section to explain the fundamentals. I wrote some code during the research for this article, but none of it is included herein. If the lingual flow of English seem mayhap strange and erroneous from byte to byte, this is due to the fact that I'm Scandinavian. Bare with it. :) 2. How open X displays are found An open X display is in formal terms an X server that has its access control disabled. Disabling access control is normally done with the xhost command. $ xhost + allows connections from any host. A single host can be allowed connection with the command $ xhost + ZZZ.ZZZ.ZZZ.ZZZ where Z is the IP address or host-name. Access control can be enabled by issuing an $ xhost - command. In this case no host but the local-host can connect to the display. Period. It is as simple as that - if the display runs in 'xhost -' state, you are safe from programs that scans and attaches to unprotected X displays. You can check the access control of your display by simply typing xhost from a shell. Sadly enough, most sites run their X displays with access control disabled as default. They are therefore easy prey for the various scanner programs circulating on the net. Anyone with a bit of knowledge about Xlib and sockets programming can write an X scanner in a couple of hours. The task is normally accomplished by probing the port that is reserved for X windows, number 6000. If anything is alive at that port, the scanner calls XOpenDisplay("IP-ADDRESS:0.0") that will return a pointer to the display structure, if and only if the target display has its access control disabled. If access control is enabled, XOpenDisplay returns 0 and reports that the display could not be opened. E.g: Xlib: connection to "display:0.0" refused by server Xlib: Client is not authorized to connect to Server The probing of port 6000 is necessary because of the fact that calling XOpenDisplay() on a host that runs no X server will simply hang the calling process. So much for unix programming conventions. :) I wrote a program called xscan that could scan an entire subnet or scan the entries in /etc/hosts for open X displays. My remark about most sites running X displays with access control disabled, originates from running xscan towards several sites on the internet. 3. The localhost problem Running your display with access control enabled by using 'xhost -' will guard you from XOpenDisplay attempts through port number 6000. But there is one way an eavesdropper can bypass this protection. If he can log into your host, he can connect to the display of the localhost. The trick is fairly simple. By issuing these few lines, dumping the screen of the host 'target' is accomplished: $ rlogin target $ xwd -root -display localhost:0.0 ~/snarfed.xwd $ exit $ xwud -in ~/snarfed.xwd And voila, we have a screendump of the root window of the X server target. Of course, an intruder must have an account on your system and be able to log into the host where the specific X server runs. On sites with a lot of X terminals, this means that no X display is safe from those with access. If you can run a process on a host, you can connect to (any of) its X displays. Every Xlib routine has the Display structure as it's first argument. By successfully opening a display, you can manipulate it with every Xlib call available. For an intruder, the most 'important' ways of manipulating is grabbing windows and keystrokes. 4. Snooping techniques - dumping windows The most natural way of snarfing a window f
|
