Learn about X security

Xhost +

On a machine with improperly configured X software, malicious remote users can do anything they like to the display. This includes taking a snapshot of the screen or grabbing all keystrokes on the keyboard.

Nature of the problem

Background: United States Computer Emergency Readiness Team: Vulnerability Note VU#704969

X, when run with access permissions disabled (e.g., in “xhost +” mode), will provide access to Xevent queues to anyone who requests it. Since X events include keystrokes, window resizing and (re)drawing, mouse movements, etc. (essentially any user interaction), it is trivial to do things like take screen snapshots, move or resize windows, grab keystrokes, etc. We have positive evidence from other universities that keystrokes are being captured.

eXceed and Xwin-32’s default permissions are wide open, and others are fairly easy to configure that way. Since Windows is rather different from UNIX with respect to X, it is likely that many users don’t realize the danger an open X server poses.

Securing your machine

We recommend using PuTTY with X11 Forwarding enabled to connect to the remote system, then starting X-Win32 in a local-only mode (only accepting X connections from the localhost).

More information

Purdue’s page on tunneling X over SSH

UIC’s pages on tunneling X over SSH with Exceed:
SSH Exceed
Exceed

Some hints on how to find open Xservers in your address space:

 nmap -sS -p6000 -oG output X.X.X.X/YY 

The Nessus plugin that can scan for this vulnerability is 10407 (X.nasl)

Helpful links