Originally posted by Luke
View Post
Announcement
Collapse
No announcement yet.
X Server Security Disaster: "It's Worse Than It Looks"
Collapse
X
-
-
Originally posted by alanc View Postpretty much all security holes in X in the past few years have been limited to people who can already access your machine
Comment
-
Originally posted by kurkosdr View PostAt least the monstrocity known as X.org is finally going away. X.org sucked from day #1, but it was the first and only available free display server, so it became "standard".
Even then, XFree86 was not the first available free display server. That would be X386. As for the only display server, besides the ones already mentioned, there was a brief fork of XFree86 called Xouvert.
For all its inefficiency with modern day graphics systems, X.org does a damn fine job. It's hardly a "monstrosity". From day one, it's been a wonderful addition to the free software library. So will Wayland be, when it's ready.
Comment
-
-
Originally posted by Luke View PostHow many of these can be used for an over-the-network attack, assuming that an ssl server is not being run with X11 forwarding and no remote desktop viewing tool is in operation, There is a huge difference between someone who has already booted your computer being able to get root (physical access=root for high secureity work!) and someone able to root your box over the network and past a router.
- If you look at your favourite porn movie from your "trusted" source
- are there byte sequences that can escape the video stream
- an escaped code could then escalate priviledges on your system
- and install the trojan horse
Would that be the usable "use case" of an "unsecure" xorg server?
Comment
-
A video escape sequence has many more targets than X
Originally posted by ulenrich View PostI would be interested to know - not about these never used network facility - but:
- If you look at your favourite porn movie from your "trusted" source
- are there byte sequences that can escape the video stream
- an escaped code could then escalate priviledges on your system
- and install the trojan horse
Would that be the usable "use case" of an "unsecure" xorg server?
Looking at the other end of the chain would not need an xserver vulnerability to to this, a hole in closed-source Flash would be quite enough-and would be given to the NSA before it was fixed. Flash and Java are also the two biggest targets for Windows exploits! If this is an issue, avoid flash, use HTML5 instead of flash and do not install Java. Also a browser vulnerability found by the attacker first would be usable, as would a hole in the codec used by the video for playback. A good reason to use Gstreamer and not Cisco's binary for H264, and not to use closed browsers like Opera. In short, Wayland won't fix this, as there are are at least three other places an attack could be mounted.
In short, the chain of vulnerabilities for a video escape sequence attack works like this: Network card, Flash (if used), browser, Xorg, video driver, kernel system calls. A chain is only as strong as its weakest link. If you run Flash and Java over Chromium on Wayland, you have only slightly reduced your attack cross-section.
Now let's get real-world: A criminal attack on random targets using a video escape sequence will probably be aimed at a Flash hole, or at a cross-platform browser vulnerability. Otherwise it will target a Windows system vulnerability. I recall somewhere that one version of Windows Media Center was vulnerable to exactly this sort of attack, forget which media format was the vector. No matter what the exploit, the payload code will probably run on the Windows kernel, as this will get 20 to 100 times as many victims for less work than a Linux attack. Even the FBI's workaround attack on a single .onion Tor service used a cross-platform vulnerability to install a Windows payload. Most attacks on Linux are aimed at Linux servers and especially Linux servers running websites, so this situation is in fact another of a long line of reasons why a remotely adminstered server should never have X installed.
OK, now let's talk NSA, wanting to get control of your particular encrypted laptop. If you don't have a static IP address and never activated Windows, just FINDING the machine to attack it becomes the first problem. OK, your favorite bar has a Cisco router that talks to the NSA, let's assume they tie your MAC address to a post they don't like with Cisco's help. Now they have to intercept the video stream and replace it with a stream of their own. If they don't want to get caught, they have to predict what you want to watch and prepare their file in advance-then pay off the host site to host the uploaded file and not a derived flash file. Were they a criminal inside a porn site, they would only have to add a honeypot video and attack whoever watched it from a compatable system, a much easier job.
The NSA does use porn and dating site actvity to blackmail Islamic fundamentalists (terrorist OR otherwise), but that only requires monitoring the accounts themselves and not any attack on computers at all. Instead the attack both exploits and is directed against hypocrisy by the intended targets and does not work when hypocrisy is not present. I suspect most people who host porn and dating sites are as happy to help the NSA call out religious hypocrites on their sites as Larry Flynt was to lampoon Christian fundamentalists in the pages of Hustler.
One more point: there are more web-based attacks coming from adservers than from porn sites according to some security researchers. At least Phoronix would be a royal headache to attack users from, as the low Windows use rate and high hacker quotient would make for difficult targets, small capture cross-section, and high probability of getting caught. If I were a scumbag using poisoned Flash ads to bot computers, I would take precautions not to have my "ads" run on any Linux or hacker sites!
Comment
-
@Luke
very thanks for this informative post!
I personally don't feel to be a target, but I am interested in these issues in principle. I have some kind of paranoic fear - german angst - our all freedom might soonishly vanish:
Originally posted by Luke View PostThe NSA does use porn and dating site actvity to blackmail Islamic fundamentalists (terrorist OR otherwise), but that only requires monitoring the accounts themselves and not any attack on computers at all. Instead the attack both exploits and is directed against hypocrisy by the intended targets and does not work when hypocrisy is not present. I suspect most people who host porn and dating sites are as happy to help the NSA call out religious hypocrites
- if you search for a job
You would not like to know your potential employee that your doctor supposed to you a cardiac pacemaker
- if you attempt a carrer in a political party
You had some anarchistic ideas in mind when you were young
...... endless possibilities to blackmail !!!
Thus I would think the total NSA awareness that all of german parliament and governement is compromised. Some 40 years ago we had our most beloved goverment figure (W.Brandt) resigned, because the russians might know he dated some young women ...
Comment
-
Good point: Who is next for NSA dating site snitch extortion
Originally posted by ulenrich View Post@Luke
very thanks for this informative post!
I personally don't feel to be a target, but I am interested in these issues in principle. I have some kind of paranoic fear - german angst - our all freedom might soonishly vanish:
I am not a hypocrite, but I almost theoretically think everyone of us has its week points in life. If someone knows everything about you and also everything about a potential audience you would like to target, for example:
- if you search for a job
You would not like to know your potential employee that your doctor supposed to you a cardiac pacemaker
- if you attempt a carrer in a political party
You had some anarchistic ideas in mind when you were young
...... endless possibilities to blackmail !!!
Thus I would think the total NSA awareness that all of german parliament and governement is compromised. Some 40 years ago we had our most beloved goverment figure (W.Brandt) resigned, because the russians might know he dated some young women ...
Comment
-
Originally posted by Luke View PostThose are good points. Not only the NSA, but those who WORK at the NSA have shown they can't be trusted. Anyone could be next and the thin end of the wedge must not be welcomedHi
Comment
Comment