Xinput

[DoUPod]

Hi,

I read that Xinput (part of X graphic server) could be used as a keylogger on a Ubuntu system.
In fact, a regular user can launch xinput and monitor every text entered (just like a keylogger) and especially text entered as root (root password for example).

I didn't find any information about this threat on the forum or in the documentation.

Is it a real threat ? Is there any way to prevent it (for example, we can desinstall xinput but is this packet necessary...) ?

Thanks

Source : http://theinvisiblethings.blogspot.c...isolation.html

[Dangertux]

Hi,

I read that Xinput (part of X graphic server) could be used as a keylogger on a Ubuntu system.
In fact, a regular user can launch xinput and monitor every text entered (just like a keylogger) and especially text entered as root (root password for example).

I didn't find any information about this threat on the forum or in the documentation.

Is it a real threat ? Is there any way to prevent it (for example, we can desinstall xinput but is this packet necessary...) ?

Thanks

Source : http://theinvisiblethings.blogspot.c...isolation.html

This is not a vulnerability it's a feature. The author of that article demonstrated it to demonstrate that Xserver does not adequately separate system resources (like input devices) between GUI based applications. It's important to note that it must be run in the same Xserver instance. This obviously is a particular concern due to the nature of sudo. Yes this happens, yes it works. No there really isn't anything you can do about it unless you want to switch to something like Qubes, which is also hers and this is a plug for that.

Hope this helps.

[DoUPod]

Yes it helps. But, there's absolutely nothing we can do to prevent it ?

For example,
- Is it possible to uninstall xinput packet or is it necessary to keep this packet ?
- What are the exact possibilities of attack through xinput ? Can any program use this command to monitor everything I write ?

Thanks

[Dangertux]

Yes it helps. But, there's absolutely nothing we can do to prevent it ?

For example,
- Is it possible to uninstall xinput packet or is it necessary to keep this packet ?
- What are the exact possibilities of attack through xinput ? Can any program use this command to monitor everything I write ?

Thanks

Removing XInput will likely break your entire installation, since it's used my almost everything to configure and read input from devices.

Obviously anyone with physical access or remote access to an X session could keylog, and or inject input to Xserver. This could be used to escalate permissions via keylogging, compromise of additional applications or injection of arbitrary code into memory for potential execution.

The point she was making in her article was that XServer was designed in a more trusting ecosystem, and that XServer demonstrates a poor security posture. You could consider using something like Xephyr which does a slightly better job at GUI application seperation via nested X Sessions, or like I said something like QubesOS if this is a concerning threat to you.

As I said earlier , the way it's designed currently anything running in the current XSession can read/write to XInput and thus any other application running in that XSession.

Hope this helps.

[DoUPod]

Ok. I understand better how xinput works.

So, every application I run in a graphic mode with XServer can log my keyboard.

But, I must install such applications...

So in fact, the major problem is to trust author of applications I installed (and not to install strange apps I don't know) ? For some evil people, there's no possibility of using this "threat" without installing an application ?

Thanks

[Dangertux]

Well not exactly. For instance if your browser were compromised and it yielded the attacker an interactive shell they could use Xinput to keylog you. Hope this clarifies.

[DoUPod]

Thank you for all the informations.

[pling]

This is not a vulnerability it's a feature.

This reply is so stunningly uninteligent and evasive it has provoked to raise a dead thread from the ground: many, many things are vulnerabilities and features! Being one does not preclude the other.

The author of that article demonstrated it to demonstrate that Xserver does not adequately separate system resources (like input devices) between GUI based applications. It's important to note that it must be run in the same Xserver instance. This obviously is a particular concern due to the nature of sudo. Yes this happens, yes it works.

So any app running under X can steal your sudo password - but this isn't a vulnerability.... Because it is a feature, so that's alright.

No there really isn't anything you can do about it unless you want to switch to something like Qubes, which is also hers and this is a plug for that.

Hope this helps.

Nice hint of an ad hom attack there. Anyway... But, yes, there is something you can do to make yourself effectively immune from such attacks: do all your admin and anything involving paypal etc, even indirectly (eg using the email acc your paypal account is linked too) from account that you only a very minimal and trusted set of X apps from. Or even do such things only from a X-less boot. Yes, this is hassle and not worth it for most people - but it is possible, and probably what should be done for servers.

[Hungry Man]

Dangertux is back? >_> edit: awwwww old posts.

And yes, because X has processes register hotkeys they can register any key and sniff or input them to any other key.

Wayland, for example, does not do this. New hotkeys require administrative rights and are registered through the OS.

I don't think Xinput is required, it's purely used to show how it works. With or without Xinput you can register the hotkeys.

As Dangertux said there is unfortunately very very little that can be done about this.

This reply is so stunningly uninteligent and evasive it has provoked to raise a dead thread from the ground: many, many things are vulnerabilities and features! Being one does not preclude the other.

I think vulnerability implies an unintended weakness whereas both a vulnerability and a feature can be exploited. Regardless, it's semantics. His point is that it's an intended behavior.

So any app running under X can steal your sudo password - but this isn't a vulnerability.... Because it is a feature, so that's alright.

I don't think he said it's alright.

Nice hint of an ad hom attack there. Anyway... But, yes, there is something you can do to make yourself effectively immune from such attacks: do all your admin and anything involving paypal etc, even indirectly (eg using the email acc your paypal account is linked too) from account that you only a very minimal and trusted set of X apps from. Or even do such things only from a X-less boot. Yes, this is hassle and not worth it for most people - but it is possible, and probably what should be done for servers.

That's not Ad Hominem. Also, just so you don't expect a response back, Dangertux doesn't post here any more.

Unfortunately, as you said, you'd have to boot into an X-less Ubuntu to be protected.

I think that that's assuming you've been compromised, which is why focusing on prevention is so important.

[BlinkinCat]

Dangertux is back?

Is he? I haven't seen him lately -