X Window Vulnerabilities making a strong comeback.

by Brian - 04/27/00

With the proliferation of NT workstations, comes the need for third party products that provide a means for UNIX Sys Admins to administer their systems remotely. PC Xware and Exceed are two such products. Through the use of Xwindow technology, they connect an NT Xclient to exported UNIX Xwindow resources. Of course, this can be a valuable asset to the Sys Admins tool kit. However, it can also increase security weaknesses into the system and network. If you are using one of these products (not limited to the ones I have tested), I highly recommend you follow the information provided below to test your vulnerability exposure. If you believe you are vulnerable, or are uncertain, contact your vendor for patch and security assistance. The latest version of Exceed is securable, and I did not get a chance to test the latest version of PC Xware.

Through some brief testing, I have discovered that both of these products install, by default, with their Xwindows exported to the world (the equivalent of 'xhost +' in the UNIX X world). Hackers familiar with exploiting exported X resources are drooling over the thoughts of this growing technology. Exploiting exported Xwindows is one of my favorite hacks. Over time (unless you found a menu driven xterm), you are guaranteed to get access to the UNIX system being administered, and most likely, it will be admin level access.

Is my system vulnerable?

1. From a Xwindow, on the system in question, enter the command 'xhost'. If you get a response similar to the following, your system is vulnerable.

"access control disabled, clients can connect form any host"

2. From another Xwindow system (I like SUN openwindows) enter the appropriate flavor X command to list a remote systems windows. If you get anything other than "Xconnection refused by server", you are vulnerable.

3. Another option is to use the 'xkeys' hack utility to test for exposure. If it aborts you are safe, but if you get keystrokes you are vulnerable.

The Hack.

1. First you have to find a system exporting its Xwindows. How? Solaris Xwindows comes with a helpful utility named 'xlswins' (X list Windows). This utility, through a Xsession, will attempt to connect to a remote system and list any export Xwindow resources. If you don't get something like this, move on.

0x29  ()
  0x1400007  ()
  0x140000c  ()
    0x140000f  ()
  0x1400010  ()
  0x180002d  ()
  0x180002e  ()
  0x180002f  ()
  0x1800030  ()
  0x1c00007  ()
  0x2400007  ()
  0x240000e  ()
  0x1800037  ()
  0x1800031  ()
    0x1800032  ()
    0x1800033  ()
    0x1800034  ()
    0x1800035  ()
    0x1800036  ()
    0x240000f  (cmdtool (CONSOLE) - /sbin/sh)
      0x2400012  ()
      0x2400013  ()
        0x2400015  ()
        0x240001b  ()
  0x2800007  ()
  0x280000e  ()
  0x180003f  ()
  0x1800039  ()
    0x180003a  ()
    0x180003b  ()
    0x180003c  ()
    0x180003d  ()
    0x180003e  ()
    0x280000f  (cmdtool - /sbin/sh)
      0x2800012  ()
      0x2800013  ()
        0x2800015  ()
        0x280001b  ()

If it doesn't work you just get an error message and can move on to the next attempt. This utility is easily embedded into a script and can search the specified range while you are off pursuing more relaxing activities. I recommend that you either randomize your target IPs, or put a sleep time in the script to keep your efforts below auditing and intrusion detection system thresholds.

2. Next, get yourself a copy of 'xkeys'. This is a keystroke monitoring utility. That's right! Keystroke monitoring. Every key they press is captured and passed to the system running xkeys. All the way down to whether they use the right or left shift key to get that special character in their password. So, the next time they telnet, ftp, rlogin, etc. from their exported Xwindow, and are prompted for their password, that is not echoed to their display, it is captured by xkeys and displayed (or redirected to a file) to your system. You now have a valid system name or IP, userid, and password for later use.

3. What if the system exporting the windows is only a menu driven xterm, and is not used for command line administration purposes? Use the 'Xwatchwin' utility to capture copies of the exported windows to see what the user is viewing. One problem with this is, you will only see what is viewable on the display of the target system. However, if they are viewing mail, purchasing info, inventory status, or patient information at a bed side xterm (this last one upset a few doctors), you can see it all.

4. Another hack that I do not have personal experience with (yet) is the 'X Magic Cookie' vulnerability. With this hack, you can supposedly execute commands on the target system, at the current user's permissions. Since I have not been successful at reproducing the exploit, I will not pass along info on my failures to confuse readers. Besides, I have not made a valid effort in exploring this exploit because xkeys is way to easy and successful. If anyone has more info on this hack, feel free to enlighten me on the details.

The Fix.

1. From a Xsession in UNIX, enter the 'xhost -' command to enable access control. Then export the display to specific systems individually (or through a script) with the following command 'xhost + IP'. I prefer to use an IP or locally resolved system name as opposed to a name that is resolved through DNS.

2. From Exceed V6.x run the Xconfig utility and enable access control and enter IP addresses in the ACL text file.

3. I could not find a fix for the version of PC Xware I was testing. I found it on systems my team was reviewing and did not have the time to get into the details of the product. All I know is there is a later version that the site is going to ask the vendor about the exported Xwindow status and get back to me.

4. If people outside of your organization do not need access to your X windows, use your network perimeter router/firewall to block external access to ports 6000-6010 (I have only witnessed X connections int eh 6000-6020 range, but another source said to block through 6010). You should also research implementing Access Control Lists on all network devices inside of your network perimeter. This will add another layer of defense should an attacker get in one of your network segments.

Disclaimer:

I do not work for any of the companies listed above and do not personally endorse any of the products. If you work for one of the companies and my info is outdated, please send corrections so we can update the article. If you have an X product you would like tested, feel free to contact the DUCK (Russ) and he will pass the info to me.