Rich Freeman on 5 Sep 2012 05:39:32 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] BackDoor.Wirenet.1

On Wed, Sep 5, 2012 at 7:35 AM, K.S. Bhaskar <> wrote:
> I was wondering if it was for real or something made up.  It gave very
> little detail, and what detail there was didn't seem entirely plausible
> (especially because Linux passwords and passwords stored by browsers are two
> very different things).  Hypothesizing for a minute that it was for real,
> the only plausible way I can think of to exploit a browser vulnerability to
> insert a key-logger is to somehow put in a custom keymap.

Keep in mind that any X11 client can capture all keyboard input from
the server, except from applications running in a rarely-used mode
that completely grabs the keyboard focus.  Terminal implementations
used to have a secure mode option in their menus to turn this on
temporarily for those who are security-conscious.  However, modern
apps don't bother nearly as much since it is rare to have untrusted
X11 clients connected to your server.  ssh's X11 forwarding has a
secure mode which filters out this sort of thing, though it is broken
on a number of recent modern implementations (including Gentoo).

Applications like pinentry (usually used by gpg agents and such) do
use secure mode, which is why their dialogs behave funny.  They also
tend to lock their memory and employ other tactics to safeguard their

None of this can be used to exploit anything happening on a different
VT, including other X11 servers running on the same machine (unless
the browser can connect to them - having the cookie/etc).  Things like
display managers don't share their cookies with anybody, so they tend
to be pretty secure (in fact, they're the process that create the
cookie in the first place and everybody else gets it from them).

I do not know if this piece of malware actually evesdrops on X11 or
not, and I don't know how well that would work on OSX either (I'm not
sure if OSX runs a server, or if regular OSX applications even use it
or are vulnerable).

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --