Ubuntu
xorg package

xwindow keylogger vulnerability

Asked by gpost3

At present, the architecture of XWindow/XServer possess a software vulnerability whereby allowing a hacker to execute code to trace user keystrokes without the need of root access. Proof of concept:

- Open terminal
- Type 'xinput test 8'
- Press keystrokes in any GUI window and watch the terminal

It is possible to write C++ binary executable for linux and simply use the procedure above to capture keystrokes. The key mappings are same for every qwerty keyboard. A dynamic cast from (int *) to (char *) can translate DECIMAL to its corresponding keystroke in ASCII format.

Solution:
The solution is to write a conditional branch in XWindow/XServer GUI handler classes/object files to prevent the keyboard interrupt service routine from servicing any other application or window besides the focused window. This can be accomplished easily into the current design of XWindow/XServer by using a composite design pattern.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu xorg Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
mycae (mycae) said : 		#1

This is not a security vulnerability. Imagine if you need to do this, for example, looking a keyboard overlay utilty for screencasting (these exist).

Try running as a *different user* then doing this experiment (eg using gdmflexiserver).

Revision history for this message
Secret Resistor (secret-resistor) said : 		#2

There may be legitimate uses for this but I would say that overall it is a security problem for several reasons:

1. A malicious or exploited application running as your normal (but sudo-enabled) user can easily capture your password when you use sudo or when you enter it to unlock the screen. That is IMHO a privilege escalation vulnerability.

2. Similarly, a malicious or exploited application running as your normal user can log banking/credit card information and send it to a malicious party. Some people are trying to say that if such an application gets to execute then all hope is lost, however this does not make sense to me. If you don't save your critical passwords, then such an application cannot obtain them even if it has full access to your files. It can however snoop on the keystrokes.

Note: the problem is not limited to XInput but is rather a problem with XWindows, where if an application is allowed to use the X session it has full control over that session.

Here are some useful links:
Brief discussion of the problem: http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
Script that uses the xinput tool to create an actual key logger: http://sh.kirsle.net/keylog2
Code that uses XQueryKeymap to log keystrokes of other applications: http://pastebin.com/sk7FZ6AP
Code that uses XNextEvent to do the same: http://dornea.nu/projects/ixkeylog
Some discussion on the ubuntu forums about this: http://ubuntuforums.org/showthread.php?t=1769484

Revision history for this message
D (tenswiths) said : 		#3

Shouldn't this be lodged as a bug, not a question?

Revision history for this message
Mark (markthecodehamster) said : 		#4

well guys, I have submited this as a bug:
https://bugs.launchpad.net/suse/+source/xorg/+bug/800172
and added some more information. Please keep an eye on it's development.
Cheers, Mark

Can you help with this problem?

Provide an answer of your own, or ask gpost3 for more information if necessary.

To post a message you must log in.