Announcement

Collapse
No announcement yet.

X Server Security Disaster: "It's Worse Than It Looks"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Luke View Post
    How many of these can be used for an over-the-network attack...
    If you start X with -nolisten tcp, as virtually all distros have done by default for years now, then pretty much all security holes in X in the past few years have been limited to people who can already access your machine - either physically or remote login via ssh. Many allow such users to raise their privileges, which is a problem in business, government, or school settings, but not so much on your personal/home machine where you can just use su or sudo to do that already.

    Comment


    • #12
      Originally posted by alanc View Post
      pretty much all security holes in X in the past few years have been limited to people who can already access your machine
      I should have said "or software they run" - since no one can fully audit all of the source code for every binary they run, there are risks of software trying to sneak one past you, but that's true whether you run X or anything else. (And as a number of the other 30C3 talks emphasized, there's far more software running than you realize, such as the CPUs in your flash memory cards or hard disk, or pretty much every piece of silicon in the system. Having source to the software running in the OS at the top of the stack is just the tip of the iceberg.)

      Comment


      • #13
        Originally posted by kurkosdr View Post
        At least the monstrocity known as X.org is finally going away. X.org sucked from day #1, but it was the first and only available free display server, so it became "standard".
        Gosh. You've forgotten, or don't know about, the XFree86 system. Compared to that, X.org was a breath of fresh air, a welcome step to a proper and convenient graphics subsystem.

        Even then, XFree86 was not the first available free display server. That would be X386. As for the only display server, besides the ones already mentioned, there was a brief fork of XFree86 called Xouvert.

        For all its inefficiency with modern day graphics systems, X.org does a damn fine job. It's hardly a "monstrosity". From day one, it's been a wonderful addition to the free software library. So will Wayland be, when it's ready.

        Comment


        • #14
          Originally posted by ua=42 View Post
          Just watched the video. Headline should of said "Several 0 day Qt exploits that Qt devs won't fix and don't care if they are made public".
          That's old news, at least by a year. Though if they *still* keep it up...

          Comment


          • #15
            Originally posted by Luke View Post
            How many of these can be used for an over-the-network attack, assuming that an ssl server is not being run with X11 forwarding and no remote desktop viewing tool is in operation, There is a huge difference between someone who has already booted your computer being able to get root (physical access=root for high secureity work!) and someone able to root your box over the network and past a router.
            I would be interested to know - not about these never used network facility - but:

            - If you look at your favourite porn movie from your "trusted" source
            - are there byte sequences that can escape the video stream
            - an escaped code could then escalate priviledges on your system
            - and install the trojan horse

            Would that be the usable "use case" of an "unsecure" xorg server?

            Comment


            • #16
              A video escape sequence has many more targets than X

              Originally posted by ulenrich View Post
              I would be interested to know - not about these never used network facility - but:

              - If you look at your favourite porn movie from your "trusted" source
              - are there byte sequences that can escape the video stream
              - an escaped code could then escalate priviledges on your system
              - and install the trojan horse

              Would that be the usable "use case" of an "unsecure" xorg server?
              It could be, assuming the attack was on X and not something easier for a video file to interact with. The video driver underneath X would be a bigger issue here than X itself, and won't go away except by chance/refactoring from a switch to Wayland or Mir.

              Looking at the other end of the chain would not need an xserver vulnerability to to this, a hole in closed-source Flash would be quite enough-and would be given to the NSA before it was fixed. Flash and Java are also the two biggest targets for Windows exploits! If this is an issue, avoid flash, use HTML5 instead of flash and do not install Java. Also a browser vulnerability found by the attacker first would be usable, as would a hole in the codec used by the video for playback. A good reason to use Gstreamer and not Cisco's binary for H264, and not to use closed browsers like Opera. In short, Wayland won't fix this, as there are are at least three other places an attack could be mounted.

              In short, the chain of vulnerabilities for a video escape sequence attack works like this: Network card, Flash (if used), browser, Xorg, video driver, kernel system calls. A chain is only as strong as its weakest link. If you run Flash and Java over Chromium on Wayland, you have only slightly reduced your attack cross-section.

              Now let's get real-world: A criminal attack on random targets using a video escape sequence will probably be aimed at a Flash hole, or at a cross-platform browser vulnerability. Otherwise it will target a Windows system vulnerability. I recall somewhere that one version of Windows Media Center was vulnerable to exactly this sort of attack, forget which media format was the vector. No matter what the exploit, the payload code will probably run on the Windows kernel, as this will get 20 to 100 times as many victims for less work than a Linux attack. Even the FBI's workaround attack on a single .onion Tor service used a cross-platform vulnerability to install a Windows payload. Most attacks on Linux are aimed at Linux servers and especially Linux servers running websites, so this situation is in fact another of a long line of reasons why a remotely adminstered server should never have X installed.

              OK, now let's talk NSA, wanting to get control of your particular encrypted laptop. If you don't have a static IP address and never activated Windows, just FINDING the machine to attack it becomes the first problem. OK, your favorite bar has a Cisco router that talks to the NSA, let's assume they tie your MAC address to a post they don't like with Cisco's help. Now they have to intercept the video stream and replace it with a stream of their own. If they don't want to get caught, they have to predict what you want to watch and prepare their file in advance-then pay off the host site to host the uploaded file and not a derived flash file. Were they a criminal inside a porn site, they would only have to add a honeypot video and attack whoever watched it from a compatable system, a much easier job.

              The NSA does use porn and dating site actvity to blackmail Islamic fundamentalists (terrorist OR otherwise), but that only requires monitoring the accounts themselves and not any attack on computers at all. Instead the attack both exploits and is directed against hypocrisy by the intended targets and does not work when hypocrisy is not present. I suspect most people who host porn and dating sites are as happy to help the NSA call out religious hypocrites on their sites as Larry Flynt was to lampoon Christian fundamentalists in the pages of Hustler.

              One more point: there are more web-based attacks coming from adservers than from porn sites according to some security researchers. At least Phoronix would be a royal headache to attack users from, as the low Windows use rate and high hacker quotient would make for difficult targets, small capture cross-section, and high probability of getting caught. If I were a scumbag using poisoned Flash ads to bot computers, I would take precautions not to have my "ads" run on any Linux or hacker sites!

              Comment


              • #17
                @Luke
                very thanks for this informative post!
                I personally don't feel to be a target, but I am interested in these issues in principle. I have some kind of paranoic fear - german angst - our all freedom might soonishly vanish:

                Originally posted by Luke View Post
                The NSA does use porn and dating site actvity to blackmail Islamic fundamentalists (terrorist OR otherwise), but that only requires monitoring the accounts themselves and not any attack on computers at all. Instead the attack both exploits and is directed against hypocrisy by the intended targets and does not work when hypocrisy is not present. I suspect most people who host porn and dating sites are as happy to help the NSA call out religious hypocrites
                I am not a hypocrite, but I almost theoretically think everyone of us has its week points in life. If someone knows everything about you and also everything about a potential audience you would like to target, for example:
                - if you search for a job
                You would not like to know your potential employee that your doctor supposed to you a cardiac pacemaker
                - if you attempt a carrer in a political party
                You had some anarchistic ideas in mind when you were young
                ...... endless possibilities to blackmail !!!

                Thus I would think the total NSA awareness that all of german parliament and governement is compromised. Some 40 years ago we had our most beloved goverment figure (W.Brandt) resigned, because the russians might know he dated some young women ...

                Comment


                • #18
                  The XServer.

                  I went through the hour long video, yeah I dont actually understand a lot of code, but yes some of the static checks he pointed out were definitely required. In short it was quite a good learning session on X.

                  Comment


                  • #19
                    Good point: Who is next for NSA dating site snitch extortion

                    Originally posted by ulenrich View Post
                    @Luke
                    very thanks for this informative post!
                    I personally don't feel to be a target, but I am interested in these issues in principle. I have some kind of paranoic fear - german angst - our all freedom might soonishly vanish:


                    I am not a hypocrite, but I almost theoretically think everyone of us has its week points in life. If someone knows everything about you and also everything about a potential audience you would like to target, for example:
                    - if you search for a job
                    You would not like to know your potential employee that your doctor supposed to you a cardiac pacemaker
                    - if you attempt a carrer in a political party
                    You had some anarchistic ideas in mind when you were young
                    ...... endless possibilities to blackmail !!!

                    Thus I would think the total NSA awareness that all of german parliament and governement is compromised. Some 40 years ago we had our most beloved goverment figure (W.Brandt) resigned, because the russians might know he dated some young women ...
                    Those are good points. Not only the NSA, but those who WORK at the NSA have shown they can't be trusted. Anyone could be next and the thin end of the wedge must not be welcomed

                    Comment


                    • #20
                      Originally posted by Luke View Post
                      Those are good points. Not only the NSA, but those who WORK at the NSA have shown they can't be trusted. Anyone could be next and the thin end of the wedge must not be welcomed
                      Dont forget the millions of people who think types like the NSA and GHCQ are doing good works! Ye olde 'if ya'v nothin' to hide, ya'v nothin t' fear!' argument being their mantra.
                      Hi

                      Comment

                      Working...
                      X