Re: X-windows security in Gnome
- From: Brian Cameron <Brian Cameron sun com>
- To: Brian Cameron sun com, jwz jwz org
- Cc: otaylor redhat com, gnome-hackers gnome org
- Subject: Re: X-windows security in Gnome
- Date: Fri, 17 May 2002 12:42:47 +0100 (BST)
Jamie:
> > Without this degree of security, a person can step over to your
> > machine sometime you have forgotten to lock it, and start a process
> > that sniffs keyboard entry a la "xspy" and logs your keyboard entry
> > to a file.
>
> If someone can download and run arbitrary programs as me, the battle is
> already lost. They could just as easily muck with my init scripts and
> $PATH to run trojanized versions of, e.g., xscreensaver or su or ssh
> that simply pipe my passwords into /bin/Mail.
Fortunately for the hacker, there is no need for them to get access to
install a trojan xscreensaver, or involve themselves with time-consuming
mucking with your PATH and/or init scripts. By just getting you to run
an xspy program with logging (a 14K binary), they have hacked you. The
xspy program could be easily modified to only log what is typed into
xscreensaver or some other program which takes password entry. This
would keep the logfile small, and make it easier to figure out what
plaintext is your password.
To do this hack, the only permission needed is to be able to set up an
"ls" (or similar) trojan in /tmp. The trojan could perform a real "ls"
operation so you didn't notice that you ran a trojan, delete itself, and
then sit in the background logging your password to /tmp the next time
you run xscreensaver, and exit. Since this trojan isn't very intrusive,
and requires no special permissions, it would be difficult to detect.
After getting your password, they could set up future trojans while
using your userid.
A trojan wouldn't even be necessary. A hacker could imbed the hack
into some "cool" program, and then tell others on the network to
try it out, or send it around as an email attachment. You run the
program, then turn on xscreensaver, and your password is conveniently
logged for the hacker. I'm sure there are countless ways to trick
somebody into running a program. Not many people realize that the
password they enter into xscreensaver is easily accessible to *all*
other programs running by the user at the same time. You would need
quite a bit of trust to feel confidant that every time you run
xscreensaver that you do not have a program that could be comprimised
running at the same time.
I can't think of an easier way to get another user's password or other
senstive information. You don't need root permission, you just need
to get the user to run a program that is comprimised.
Brian
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]