Hacking Linux Exposed





previous article
next article
The ease of (ab)using X11, Part 2
By Bri Hatch.

Summary: Abusing X11 for fun and passwords.

Last time we looked at how you can get access to an X11 server, the desktop software you are using when you're running graphical environments like Gnome or KDE. When you have access to the X11 server, you can do some remarkable things. As an example, I previously showed you how to open an xterm on the users screen to leave them a message. Rather than use an xterm, it's much easier to use xmessage[1], which will pop up a window and can even have programmable buttons.

So, using xmessage as our target program, let's recap. First, log into the victim's desktop, become root, and set up your environment to access his X11 server:

    home$ ssh victim_desktop
    victim$ sudo /bin/ksh
    victim\# XAUTHORITY=/home/fernando/.Xauthority
    victim\# export XAUTHORITY
    victim\# DISPLAY=:0
    victim\# export DISPLAY

At this point, you have access to the server and can do anything, for example running xmessage:

    victim\# xmessage "Hey, Fernando, don't forget to walk the dog."

You won't see anything of course - the window went on Fernando's screen.

Ok, so you can plop up some windows, big deal, right? What fun is that? Here are some other fun things you could do:

xsetbg filename
Don't like the desktop background? Change it easily with xsetbg. Can have a particularly disastrous effect on a machine at work depending on the content you choose.

xlsclients -l
Provides you a list of all X11 clients that are running on the machine. The output includes the window id that you'll need for some commands below.

    # xlsclients -l
    Window 0x180000d:
      Command:  /usr/X11R6/bin/kterm
      Instance/Class:  kterm/KTerm
    Window 0x1200001:
      Name:  MozillaFirefox-bin
      Command:  /usr/lib/mozilla-firebird/MozillaFirefox-bin
      Instance/Class:  MozillaFirefox-bin/MozillaFirefox-bin
    Window 0x2d0000d:
      Name:  xine
      Icon Name:  kterm
      Command:  /usr/bin/xine
      Instance/Class:  xine/Xine

xwininfo -id windowid
Display verbose information about existing window, such as the title name, size, location, etc. This gives you more information for finding the window you're interested in for any of the other commands below that use windowids.

xkill -id windowid
A quick and efficient way to kill X11 windows. Purely a malicious activity.

xwd is an X window dumper - it dumps a screen shot of any window you request, or the whole screen. When used interactively, it will let you move the mouse and click on the window in which you're interested. If you want a specific window, you can specify it with xwd -id windowid, or you can choose the root window with xwd -root. To be surreptitious, you probably want to use -silent as well, to keep it from ringing the bell.

So, the following would give you a screen shot of the entire desktop, and convert it to a .png file for viewing on your machine:

    # xwd -root -silent - | convert - fernando.png

xev -id windowid
xev can attach to an existing window and show you all X11 events that occur. Great for seeing in which windows the user is active. Since keypresses are events, you can see everything they type, though it's not the cleanest way, we'll see better options later.

This one is not a part of your standard X11 distribution, however you can easily find the source code via google. Xkey will watch for X11 keyboard events and prints the characters to the screen - a great way for sniffing the keyboard for passwords, as seen here:

    # xkey
    s -la
    cd <<Shift_R>>~
    convert /tmp/rack.jpg network-rack.png
    scp network-rack.png isp.example.net<<Shift_R>>:
    ssh isp.example.net
    mutt -a network-rack.png

In the output above, you get to see in gory detail exactly what the user is typing -- not only do you get to see that the password for the account at isp.example.net is d@rPaneT,[2] but you can see exactly which shift keys (left or right) were used in the attempt.

Using x2x, you can connect your mouse and keyboard to their display. You can use this to either play games by moving their mouse around, or more maliciously you can use this to send input to their windows.[3] For example, use xev to determine they're not doing anything, and then start typing in their shell. Start up a netcat daemon in listen mode, connect to their machine on that port and have straight shell access to their account. Anything's possible.

Want full blown access to the X11 server? Run an x0rfbserver on their display and you can connect to it with a vnc client to have complete control of their desktop. Valid for helping folks out remotely, but deadly when done maliciously.

Hopefully this gives you a good idea why it's so very bad to allow access to your X11 server.

Next time I'll address how you can keep your X11 server safe, and how your X11 server may not be safe even if your desktop is completely locked down; even if no one has access -- much less root access -- to it.


[1] I have slapped myself appropriately for having forgotten the proper tool and announcing my ignorance to the world. Thanks to the dozen people who reminded me what I was looking for, you're clearly on the ball more than I.

[2] You need to ignore the <<Shift_>> entries in the output - you can prevent them from being displayed by editing the xkey.c source code

[3] If you aren't in a window, you can move your mouse (on their screen) around until you are -- you can see which window is active by using xdpyinfo | grep focus.

Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He looks back on his college days of playing xtank at 3am and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ? Bri can be reached at bri@hackinglinuxexposed.com.

Copyright Bri Hatch, 2004

This is the June 08, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Security-request@lists.onsight.com.