Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Xinput

  1. #1
    Join Date
    Jul 2009
    Beans
    9

    Xinput

    Hi,

    I read that Xinput (part of X graphic server) could be used as a keylogger on a Ubuntu system.
    In fact, a regular user can launch xinput and monitor every text entered (just like a keylogger) and especially text entered as root (root password for example).

    I didn't find any information about this threat on the forum or in the documentation.

    Is it a real threat ? Is there any way to prevent it (for example, we can desinstall xinput but is this packet necessary...) ?

    Thanks

    Source : http://theinvisiblethings.blogspot.c...isolation.html

  2. #2
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Xinput

    Quote Originally Posted by DoUPod View Post
    Hi,

    I read that Xinput (part of X graphic server) could be used as a keylogger on a Ubuntu system.
    In fact, a regular user can launch xinput and monitor every text entered (just like a keylogger) and especially text entered as root (root password for example).

    I didn't find any information about this threat on the forum or in the documentation.

    Is it a real threat ? Is there any way to prevent it (for example, we can desinstall xinput but is this packet necessary...) ?

    Thanks

    Source : http://theinvisiblethings.blogspot.c...isolation.html
    This is not a vulnerability it's a feature. The author of that article demonstrated it to demonstrate that Xserver does not adequately separate system resources (like input devices) between GUI based applications. It's important to note that it must be run in the same Xserver instance. This obviously is a particular concern due to the nature of sudo. Yes this happens, yes it works. No there really isn't anything you can do about it unless you want to switch to something like Qubes, which is also hers and this is a plug for that.

    Hope this helps.

  3. #3
    Join Date
    Jul 2009
    Beans
    9

    Re: Xinput

    Yes it helps. But, there's absolutely nothing we can do to prevent it ?

    For example,
    - Is it possible to uninstall xinput packet or is it necessary to keep this packet ?
    - What are the exact possibilities of attack through xinput ? Can any program use this command to monitor everything I write ?

    Thanks

  4. #4
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Xinput

    Quote Originally Posted by DoUPod View Post
    Yes it helps. But, there's absolutely nothing we can do to prevent it ?

    For example,
    - Is it possible to uninstall xinput packet or is it necessary to keep this packet ?
    - What are the exact possibilities of attack through xinput ? Can any program use this command to monitor everything I write ?

    Thanks
    Removing XInput will likely break your entire installation, since it's used my almost everything to configure and read input from devices.

    Obviously anyone with physical access or remote access to an X session could keylog, and or inject input to Xserver. This could be used to escalate permissions via keylogging, compromise of additional applications or injection of arbitrary code into memory for potential execution.

    The point she was making in her article was that XServer was designed in a more trusting ecosystem, and that XServer demonstrates a poor security posture. You could consider using something like Xephyr which does a slightly better job at GUI application seperation via nested X Sessions, or like I said something like QubesOS if this is a concerning threat to you.

    As I said earlier , the way it's designed currently anything running in the current XSession can read/write to XInput and thus any other application running in that XSession.

    Hope this helps.

  5. #5
    Join Date
    Jul 2009
    Beans
    9

    Re: Xinput

    Ok. I understand better how xinput works.

    So, every application I run in a graphic mode with XServer can log my keyboard.

    But, I must install such applications...

    So in fact, the major problem is to trust author of applications I installed (and not to install strange apps I don't know) ? For some evil people, there's no possibility of using this "threat" without installing an application ?

    Thanks

  6. #6
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Xinput

    Well not exactly. For instance if your browser were compromised and it yielded the attacker an interactive shell they could use Xinput to keylog you. Hope this clarifies.

  7. #7
    Join Date
    Jul 2009
    Beans
    9

    Re: Xinput

    Thank you for all the informations.

  8. #8
    Join Date
    May 2009
    Beans
    17

    Re: Xinput

    Quote Originally Posted by Dangertux View Post
    This is not a vulnerability it's a feature.
    This reply is so stunningly uninteligent and evasive it has provoked to raise a dead thread from the ground: many, many things are vulnerabilities and features! Being one does not preclude the other.
    The author of that article demonstrated it to demonstrate that Xserver does not adequately separate system resources (like input devices) between GUI based applications. It's important to note that it must be run in the same Xserver instance. This obviously is a particular concern due to the nature of sudo. Yes this happens, yes it works.
    So any app running under X can steal your sudo password - but this isn't a vulnerability.... Because it is a feature, so that's alright.
    No there really isn't anything you can do about it unless you want to switch to something like Qubes, which is also hers and this is a plug for that.

    Hope this helps.
    Nice hint of an ad hom attack there. Anyway... But, yes, there is something you can do to make yourself effectively immune from such attacks: do all your admin and anything involving paypal etc, even indirectly (eg using the email acc your paypal account is linked too) from account that you only a very minimal and trusted set of X apps from. Or even do such things only from a X-less boot. Yes, this is hassle and not worth it for most people - but it is possible, and probably what should be done for servers.

  9. #9
    Join Date
    Mar 2011
    Beans
    668

    Re: Xinput

    Dangertux is back? >_> edit: awwwww old posts.

    And yes, because X has processes register hotkeys they can register any key and sniff or input them to any other key.

    Wayland, for example, does not do this. New hotkeys require administrative rights and are registered through the OS.

    I don't think Xinput is required, it's purely used to show how it works. With or without Xinput you can register the hotkeys.

    As Dangertux said there is unfortunately very very little that can be done about this.

    This reply is so stunningly uninteligent and evasive it has provoked to raise a dead thread from the ground: many, many things are vulnerabilities and features! Being one does not preclude the other.
    I think vulnerability implies an unintended weakness whereas both a vulnerability and a feature can be exploited. Regardless, it's semantics. His point is that it's an intended behavior.

    So any app running under X can steal your sudo password - but this isn't a vulnerability.... Because it is a feature, so that's alright.
    I don't think he said it's alright.

    Nice hint of an ad hom attack there. Anyway... But, yes, there is something you can do to make yourself effectively immune from such attacks: do all your admin and anything involving paypal etc, even indirectly (eg using the email acc your paypal account is linked too) from account that you only a very minimal and trusted set of X apps from. Or even do such things only from a X-less boot. Yes, this is hassle and not worth it for most people - but it is possible, and probably what should be done for servers.
    That's not Ad Hominem. Also, just so you don't expect a response back, Dangertux doesn't post here any more.

    Unfortunately, as you said, you'd have to boot into an X-less Ubuntu to be protected.

    I think that that's assuming you've been compromised, which is why focusing on prevention is so important.
    Last edited by Hungry Man; September 21st, 2012 at 07:47 PM.

  10. #10
    BlinkinCat is offline Iced Blended Vanilla Crème Ubuntu
    Join Date
    Aug 2011
    Beans
    Hidden!

    Re: Xinput

    Quote Originally Posted by Hungry Man View Post
    Dangertux is back?
    Is he? I haven't seen him lately -

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •