Re: [PLUG] BackDoor.Wirenet.1

Rich Freeman on 5 Sep 2012 05:39:32 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] BackDoor.Wirenet.1

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] BackDoor.Wirenet.1
Date: Wed, 5 Sep 2012 08:39:18 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=/PtqT+Fatbq8xIN4nhMLzibrslxxnnAs92DAe1wvVbA=; b=nSM7uKj8vedLaWDH5UZ8aW4eWHbMGrm3Ig6L9zbPp8FfRTqRmXX6pRW8eS5iXgJ7DG efIcCaPVGXv53KcPh2KjM5B6a2vpYomwp+g0vaWnpMfvYhoRMZpWOPKmDvcfUblKGtVF 5A4WCXhnVNSn8O7FwwWtGXGSTikTchold5Bv1aEuN6Td5pJkqRJEIv8rEh39y0iFrovX Cve5csU1SXnk8ZgqbITgg12fNaRiACI6Nfgs59myzyNJD6Kjmr50T+g3z2XOiaUecJoo UsZDYw8IVKlN1LTqnszpEesex2aC9IhigLKzXerPy7RG4eVJtqhCAQsMSF0T4ahM0eCk 3T+Q==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org

On Wed, Sep 5, 2012 at 7:35 AM, K.S. Bhaskar <bhaskar@bhaskars.com> wrote:
> I was wondering if it was for real or something made up.  It gave very
> little detail, and what detail there was didn't seem entirely plausible
> (especially because Linux passwords and passwords stored by browsers are two
> very different things).  Hypothesizing for a minute that it was for real,
> the only plausible way I can think of to exploit a browser vulnerability to
> insert a key-logger is to somehow put in a custom keymap.

Keep in mind that any X11 client can capture all keyboard input from
the server, except from applications running in a rarely-used mode
that completely grabs the keyboard focus.  Terminal implementations
used to have a secure mode option in their menus to turn this on
temporarily for those who are security-conscious.  However, modern
apps don't bother nearly as much since it is rare to have untrusted
X11 clients connected to your server.  ssh's X11 forwarding has a
secure mode which filters out this sort of thing, though it is broken
on a number of recent modern implementations (including Gentoo).

Applications like pinentry (usually used by gpg agents and such) do
use secure mode, which is why their dialogs behave funny.  They also
tend to lock their memory and employ other tactics to safeguard their
input.

None of this can be used to exploit anything happening on a different
VT, including other X11 servers running on the same machine (unless
the browser can connect to them - having the cookie/etc).  Things like
display managers don't share their cookies with anybody, so they tend
to be pretty secure (in fact, they're the process that create the
cookie in the first place and everybody else gets it from them).

I do not know if this piece of malware actually evesdrops on X11 or
not, and I don't know how well that would work on OSX either (I'm not
sure if OSX runs a server, or if regular OSX applications even use it
or are vulnerable).

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] BackDoor.Wirenet.1
  - From: Rich Freeman <r-plug@thefreemanclan.net>

References:
- [PLUG] BackDoor.Wirenet.1
  - From: "K.S. Bhaskar" <bhaskar@bhaskars.com>
- Re: [PLUG] BackDoor.Wirenet.1
  - From: Sam Gleske <sam.mxracer@gmail.com>
- Re: [PLUG] BackDoor.Wirenet.1
  - From: Sam Gleske <sam.mxracer@gmail.com>
- Re: [PLUG] BackDoor.Wirenet.1
  - From: "K.S. Bhaskar" <bhaskar@bhaskars.com>

Prev by Date: Re: [PLUG] BackDoor.Wirenet.1
Next by Date: Re: [PLUG] BackDoor.Wirenet.1
Previous by thread: Re: [PLUG] BackDoor.Wirenet.1
Next by thread: Re: [PLUG] BackDoor.Wirenet.1
Index(es):
- Date
- Thread