Learn about X security
On a machine with improperly configured X software, malicious remote users can do anything they like to the display. This includes taking a snapshot of the screen or grabbing all keystrokes on the keyboard.
Nature of the problem
X, when run with access permissions disabled (e.g., in “xhost +” mode), will provide access to Xevent queues to anyone who requests it. Since X events include keystrokes, window resizing and (re)drawing, mouse movements, etc. (essentially any user interaction), it is trivial to do things like take screen snapshots, move or resize windows, grab keystrokes, etc. We have positive evidence from other universities that keystrokes are being captured.
eXceed and Xwin-32’s default permissions are wide open, and others are fairly easy to configure that way. Since Windows is rather different from UNIX with respect to X, it is likely that many users don’t realize the danger an open X server poses.
Securing your machine
We recommend using PuTTY with X11 Forwarding enabled to connect to the remote system, then starting X-Win32 in a local-only mode (only accepting X connections from the localhost).
Some hints on how to find open Xservers in your address space:
nmap -sS -p6000 -oG output X.X.X.X/YY
The Nessus plugin that can scan for this vulnerability is 10407 (X.nasl)