ubuntu-x-swat team mailing list archive
-
ubuntu-x-swat team
-
Mailing list archive
-
Message #132803
[Bug 800172] [NEW] Application keylogger vulunerability in Xserver
Public bug reported:
It is easily possible for any runnig program in you X session to sneak
your passwords(even root, sudo etc) or to obtain critical creditentials
from browser (eg e-banking).
This bug is based on :
Blog post with explanation:
http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
Ubuntu answers:
https://answers.launchpad.net/ubuntu/+source/xorg/+question/159596
The bug has already been reported to X developers:
https://bugs.freedesktop.org/show_bug.cgi?id=38517
(with steps to reporoduce)
the bug has been known for some time already, but nothing has been
happening! With this, Linux desktop is no more secure than any Windows
system.
Please have a look at the resources and try it yourselves.
Cheers, mark
At present, the architecture of XWindow/XServer possess a software
vulnerability whereby allowing a hacker to execute code to trace user
keystrokes without the need of root access. Proof of concept:
- Open terminal
- Type 'xinput test 8'
- Press keystrokes in any GUI window and watch the terminal
It is possible to write C++ binary executable for linux and simply use
the procedure above to capture keystrokes. The key mappings are same for
every qwerty keyboard. A dynamic cast from (int *) to (char *) can
translate DECIMAL to its corresponding keystroke in ASCII format.
Solution:
The solution is to write a conditional branch in XWindow/XServer GUI handler classes/object files to prevent the keyboard interrupt service routine from servicing any other application or window besides the focused window. This can be accomplished easily into the current design of XWindow/XServer by using a composite design pattern.
** Affects: xorg (Ubuntu)
Importance: Undecided
Status: New
** Affects: xorg (Suse)
Importance: Undecided
Status: New
** Also affects: xorg (Suse)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu-X,
which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/800172
Title:
Application keylogger vulunerability in Xserver
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/800172/+subscriptions
Follow ups
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Sergiu, 2011-07-11
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Timo Aaltonen, 2011-06-28
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: bugbot, 2011-06-23
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Bug Watch Updater, 2011-06-22
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Brendan Donegan, 2011-06-21
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Brendan Donegan, 2011-06-21
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Brendan Donegan, 2011-06-21
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Bug Watch Updater, 2011-06-21
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Mark, 2011-06-21
-
[Bug 800172] Re: Application keylogger vulunerability in Xserver
From: Mark, 2011-06-21
-
[Bug 800172] [NEW] Application keylogger vulunerability in Xserver
From: Mark, 2011-06-21
References
