Suse
xorg package

Application keylogger vulunerability in Xserver

Bug #800172 reported by Mark
272
This bug affects 4 people
Affects Status Importance Assigned to Milestone
X.Org X server
Invalid
High
wayland
New
Undecided
Unassigned
xorg (Suse)
New
Undecided
Unassigned
xserver-xorg-input-evdev (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

It is easily possible for any runnig program in you X session to sneak your passwords(even root, sudo etc) or to obtain critical creditentials from browser (eg e-banking).

This bug is based on :
Blog post with explanation:
http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html

Ubuntu answers:
https://answers.launchpad.net/ubuntu/+source/xorg/+question/159596

The bug has already been reported to X developers:
https://bugs.freedesktop.org/show_bug.cgi?id=38517
(with steps to reporoduce)

the bug has been known for some time already, but nothing has been happening! With this, Linux desktop is no more secure than any Windows system.

Please have a look at the resources and try it yourselves.

Cheers, mark

At present, the architecture of XWindow/XServer possess a software vulnerability whereby allowing a hacker to execute code to trace user keystrokes without the need of root access. Proof of concept:

- Open terminal
- Type 'xinput test 8'
- Press keystrokes in any GUI window and watch the terminal

It is possible to write C++ binary executable for linux and simply use the procedure above to capture keystrokes. The key mappings are same for every qwerty keyboard. A dynamic cast from (int *) to (char *) can translate DECIMAL to its corresponding keystroke in ASCII format.

Solution:
The solution is to write a conditional branch in XWindow/XServer GUI handler classes/object files to prevent the keyboard interrupt service routine from servicing any other application or window besides the focused window. This can be accomplished easily into the current design of XWindow/XServer by using a composite design pattern.

Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
importance: Unknown → High
status: Unknown → Confirmed
Brendan Donegan (brendan-donegan)
Changed in xorg (Ubuntu):
status: New → Confirmed
Brendan Donegan (brendan-donegan)
Changed in xorg (Ubuntu):
status: Confirmed → New
Brendan Donegan (brendan-donegan)
security vulnerability: no → yes
Bug Watch Updater (bug-watch-updater)
Changed in xorg-server:
status: Confirmed → Invalid
bugbot (bugbot)
affects: xorg (Ubuntu) → xserver-xorg-input-evdev (Ubuntu)
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

closing as per the upstream bugreport

Changed in xserver-xorg-input-evdev (Ubuntu):
status: New → Invalid
Revision history for this message
Sergiu (sergiuoprea-deactivatedaccount) wrote :

Closing this is wrong. Upstream is responsible for making Xorg work, not for delivering a reasonably secure desktop experience, that is the job of the distribution maintainers. Upstream is just saying use SElinux, that is not the best way to do this, keylogging is trivial under the current setup, Windows / OSX do not suffer from this. Under Xorg it is possible to write a one-line command line that captures input and posts it to a web server.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.