Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
nurettin 5 days ago

I don't dispute your anecdote but I think the point was: x11 has been around for decades, and these things just don't happen. And the reason is that there are much simpler and more effective ways to pwn a box than trying to screenshot an x session or trying to hook for key presses. So the vulnerability surface just isn't large enough.

Suzuran 4 days ago | parent | next [-]

That's not how this works. If you cannot prove conclusively that something is not the case ever, then you must accept that somewhere in the infinity of possibility it is.

kragen 5 days ago | parent | prev [-]

I have definitely seen "these things" happen.

nurettin 5 days ago | parent | next [-]

What did you see specifically? And on what OS?

41throw-it 4 days ago | parent | next [-]

Hi -- throwaway

I have seen this happen as well. A memory corruption vulnerability in popular software allows unpriv shellcode to reach out and drop a rootkit which loads a rat as a kernel module. Attacker has control. Several big problems.

cobaltstrike beacons blocked. Instead pierce nat with STUN to attacker proxy. Use socket activated VNC/RDP/X.

Why not just steal the sessions and local data? Remote services log access (ip, time, location), easily correlate and forensics would lead back. Local data encrypted at rest, hands on keyboard needed any way since recon incomplete. Are they planning to scan memory for ssh key unlocks or intercept ssh -sk key? This is big, noisy and take developer time. If you log in to a email this leave forensics and is a CFAA violation while risking FAANG security. Attacker needs to shoulder surf.

Most hack is install crypto mining or steal a password. Maybe it is ransom. How do you get 2fa code if you want access to sensitive information? How do you steal hardware keys? You can back door browser, MitB but it gets updated away and you lose access. back door anything and lose access or discovered.

This is not a advanced attacks but it is targeted attacks. People are saying x server never get hacked, but computers get hacked. with X11 the chain is Exploit -> Game over. with wayland you need to go farther.

anthk 4 days ago | parent | prev | next [-]

All of NIXen.

~/.profile

~/.env

~/.xprofile

Exploiting TMPDIR, /tmp race conditions, ~/.mailcap and mutt (I used that to get access to 'premium' binaries under restricted accounts).

If you have Emacs you can do tons of stuff from a single account.

And so on.

nurettin 4 days ago | parent [-]

Not sure what mutt has to do with X. Maybe you replied to the wrong thread.

41throw-it 4 days ago | parent [-]

~/.xprofile

I agree in a little way to what you say, but if you can write .xprofile you can with no work escalate from the x socket.

kragen 5 days ago | parent | prev [-]

Can't give details.

LtWorf 5 days ago | parent | prev [-]

Source?

kragen 5 days ago | parent [-]

No, I've seen them. Myself. I didn't get this from a source.

LtWorf 4 days ago | parent [-]

So you didn't report the bugs?

kragen 2 days ago | parent [-]

No bugs were involved, just X11 functioning as designed.

LtWorf 2 days ago | parent [-]

So you just don't like X11. Ok. But what was your point then other than share your personal feelings?

kragen a day ago | parent [-]

It sounds like you're out of your depth in this conversation, Lieutenant. I have ambivalent feelings about X11, but they aren't relevant to the topic at hand.

0xbadcafebee said, "Why do people keep persisting this myth? X11 has authentication. ... What's insane about all these discussions is that NOBODY IS HACKING X SERVERS. There's a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring ..." and then nurettin followed up by saying, "x11 has been around for decades, and these things just don't happen. And the reason is that there are much simpler and more effective ways to pwn a box than trying to screenshot an x session or trying to hook for key presses."

But in fact I have seen people gaining elevated privileges by "hijacking" X servers when the authentication was configured to be lax, and I've sometimes configured my own authentication to be lax (because configuring it properly was a hassle), so I know it's not an "imagined threat" from "NOBODY" or a "myth" or things that "just don't happen" because "nobody is trying" them.

But it's not a "bug" either. It's a design tradeoff. X just wasn't designed to provide a security boundary between applications, to encrypt its network traffic, or by default to use any authentication at all other than host-based authentication. Even MIT-MAGIC-COOKIE-1 auth was an add-on, and it is sent in the clear, permitting replay attacks. These are defensible tradeoffs, and ssh -X and the current xauth defaults improve the situation significantly, but Wayland's design provides a lot more isolation between applications by default, which is probably a more defensible tradeoff.