T 5.162 Redirecting X-Window sessions

By separating the X-server from the X-client in the X-Window system, these components can be operated on different IT systems. This way, applications and graphical user interfaces can be executed and displayed on different IT systems. Here, the terminal servers which the applications are executed on are connected to the X-terminal, which connects the input and output devices, by means of a data link. The screen content is generated in the terminal server, but the output is redirected to the X-terminal.

Normally, not only inputs and outputs, individual instances of the applications, or user interfaces, but several instances may be redirected from the terminal server to the X-terminal For example, the user may simultaneously open several different graphical user interfaces on one terminal server, which he/she may switch between.

However, it is not only possible to redirect different instances on a terminal server to an X-terminal, but even an instance on the terminal server can be redirected to different X-terminals. If an attacker manages to not only redirect the screen output on the X-terminal of the user, but also to his/her terminal, he/she may intercept and read the input and output of the user.

Additionally, he/she can redirect the graphical user interface or the applications of a terminal server controlled by the attacker to the X-terminal of the user. If the attacker manages to falsify the work environment and if the user s not aware of this falsification, the user may provide the attacker with sensitive information. An example for this includes the input of a password not displayed on the screen, but that can be read by the attacker nevertheless.

Combinations of the attacks mentioned above are also possible.

Example:

"xnest" is a part of many systems which X-Window is installed on. This application allows starting of one or several additional sessions during a terminal session and displaying of these in any size on the screen. It can be used for testing new configurations or remote maintenance.

An attacker now manages to start this software on the client of the user, e.g. because the user did not log out when leaving the workplace or due to a weakness in the implementation of the X-server service. Within xnest, started with full screen resolution, the attacker starts the usual login dialogue of the terminal, but redirects its output to a second computer using the network, which is how the attacker gains possession of the authentication information of the user.