By Bri Hatch.
Summary: X11 is the protocol that underlies your graphical desktop environment, and you need to be aware of its security model.
A friend of mine decided to finally get a computer recently. He's one of those people who is very bright, he just didn't have the need for one before. Being a very intelligent and worldly guy, he naturally wanted a Linux box.
After a few months of hardware problems we installed Knoppix to the hard drive. Knoppix is a bootable CD distribution based on Debian and has the best hardware auto configuration out there. Plus, it's based on Debian, a huge plus in my book.
After getting everything set up for him, configuring Mozilla, twiddling his desktop, etc, he took it home. Naturally, being a new user, some mistakes were made, and the technical support desk (read: me) was called in.
So here's the first problem: they turn their computer off at night, making it much harder for me to troubleshoot it at 3am. I wanted a quick way to leave them a note to tell them I'm planning on working on it that evening. Since email was the thing that was broken, I didn't want to send email, and I didn't want to wake up their kid by calling.
Seemed the easiest thing to do would be to just plop a message up on their screen. Here's where we get into the X11 security model. X11 is the engine of whatever graphical user environment you have. For example metacity, kwm, fvwm, IceWM, fluxbox, sawfish, are all window managers that live on top of X11, and help decide what the boarders of windows look like, how they're iconified, and the like. Your applications, like Mozilla, terminals, the Gimp, are all X11 applications - they create windows and get input from user keys and mouse movements by interacting with the underlying X11 library routines.
The X11 server has an amazingly simplistic and abusable security model. In modern installations, there are only two things you need to know to be able to connect to the X11 server:
So remember, the goal is to put something on his screen, even though
I'm sitting across the city connected via SSH. After logging in and
becoming root (I'll need that later), let's set my DISPLAY variable. Using
# DISPLAY=:0 # export DISPLAY
Now I need to get access to his magic cookies. Since I'm root, I can read
all files on the filesystem, so I just need to let the underlying X11 calls
know where "my"
# xauth list xauth: creating new authority file /root/.Xauthority # XAUTHORITY=/home/fernando/.Xauthority # export XAUTHORITY # xauth list dingo/unix:10 MIT-MAGIC-COOKIE-1 566e1128ce92a0126587cf30f4e19815 dingo/unix:0 MIT-MAGIC-COOKIE-1 d506c80eb23511a2c28ce9242810c132 dingo:0 MIT-MAGIC-COOKIE-1 d506c80eb23511a2c28ce9242810c132
I should now have access to his X11 server. Indeed, if I run
Here's my terribly boring shell script.
# cat shownote #!/bin/sh if [ "$#" -gt "2" ] ; then echo "Usage: $0 filename" >&2 exit 1 fi if [ -z "$2" ] ; then nohup xterm -e $0 $1 blah >/dev/null 2>&1 & exit; fi if [ -z "$1" ] ; then echo "Usage: $0 filename" >&2 exit 1 fi cat $1 sleep +1d # shownote /tmp/dont_turn_machine_off.txt &
It takes a filename, and then opens an
The key here is that I should not be allowed to show things on his X11 server -- if I can, I can do other nastier things. Next time, we'll see some of the more interesting things that are possible. If you have favourites in your arsenal, let me know and I'll try to include them!
 To some of us, having a computer is a need, just like breathing. Sometimes breathing is run at a higher nice(1)ness level, for that matter.
 Damned be to Microtel!
 You didn't think I was going to just ramble on the whole time, did you?
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2004
This is the May 13, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityemail@example.com.