This is a query based on personal use. A troll in our local network had downloaded Crikey, the key-event simulator. He used it to simulate events on other computers, leading to unwanted things. For example, a person was playing the popular FPS Urban Terror. The attacker used Crikey to change the player's nickname (/nick trollface). As best as we understand, the attacker ssh'd into our computers, and then switched X windows somehow, and mimicked our events. I was wondering whether someone knew how he switched X Windows and did this.
Asked
Active
Viewed 1,366 times
3
Michael Mrozek
- 93,103
- 40
- 240
- 233
Ashtheking
- 33
- 5
2 Answers
6
This is not supposed to be possible; either you are running a vulnerable version of some software or you have misconfigured something.
Under normal configurations, connecting to an X server requires a sort of password called “X cookie”. The cookie is randomly generated when the X server starts and stored in a file. Normally, only the user who started the X server can read this file, and so other users cannot obtain the cookie. For a detailed explanation of how to access an X display when the location of the cookie isn't immediately apparent, such as when accessing the display of a remote machine over an SSH connection, see Open a window on a remote X display (why "Cannot open display")? See also Is there a way to communicate with someone at their desktop? and Can I launch a graphical program on another user's desktop as root? regarding accessing another user's X display.
Note that Crikey is not at fault here. Crikey is not an attack program in any way. Essentially, Crikey writes to a file, and it's not Crikey's fault if that file does not have sufficiently restrictive permissions.
Possible avenues of attacks include:
- X cookies stored in a file with insufficiently restricted permissions. Check the permissions of
~/.Xauthorityor$XAUTHORITY; if this file is readable by anyone but the owner, something is misconfigured. - X cookies transmitted in clear text over the network. Use SSH.
- X cookies available in clear text because they are stored on an NFS filesystem that anyone with physical access to the network can mount. Don't use NFS (at least not this way) if you don't trust all users with root access to a machine on the network.
- The targeted user ran
xhost +. Don't do that.
Gilles 'SO- stop being evil'
- 829,060
0
Putty x-terminal emulation. Any local machine running an Xterminal server can become a console display for any remote system. Xterminal was the original thin client. Everything runs on the remote box and is a client for display functions that run on your local machine's X server.
Another X server you could use is Xming
Fiasco Labs
- 369
xhost +::sigh:: I used to keepxraocharound just to torment anyone who did that on a machine I supervised. They'd say "My computer has bugs!" and I'd say "That's strange. Did you give anyone else access rights?" as innocently as I could manage. – dmckee --- ex-moderator kitten Dec 08 '11 at 14:35