Blogs

The Linux Security Circus: On GUI isolation

The Linux Security Circus: On GUI isolation
There certainly is one thing that most Linux users
don't realize about their Linux systems... this is the
lack of GUI-level isolation, and how it essentially
nullifies all the desktop security. I wrote about it a
few times, I spoke about it a few times, yet I still
come across people who don't realize it all the time.
So, let me stress this one more time: if you have two
GUI applications, e.g. an OpenOffice Word Processor,
and a stupid Tetris game, both of which granted
access to your screen (your X server), then there is
no isolation between those two apps. Even if they run
as different user accounts! Even if they are somehow
sandboxed by SELinux or whatever! None, zero, null,
nil!
The X server architecture, designed long time ago by
some happy hippies who just thought all the people
apps are good and non-malicious, simply allows any
GUI application to control any other one. No bugs, no
exploits, no tricks, are required. This is all by design.
One application can sniff or inject keystrokes to
another one, can take snapshots of the screen
occupied by windows belonging to another one, etc.
If you don't believe me, I suggest you do a simple
experiment. Open a terminal window, as normal
user, and run xinput list, which is a standard
diagnostic program for Xorg (on Fedora you will likely
need to install it first: yum install xorg-x11-apps):
$ xinput list
It will show you all the pointer and keyboard devices
that your Xorg knows about. Note the ID of the device
listed as “AT keyboard” and then run (as normal
user!):
$ xinput test id
It should now start displaying the scancodes for all
the keys you press on the keyboard. If it doesn't, it
means you used a wrong device ID.
Now, for the best, start another terminal window,
and switch to root (e.g. using su, or sudo). Notice
how the xinput running as user is able to sniff all
your keystrokes, including root password (for su),
and then all the keystrokes you enter in your root
session. Start some GUI app as root, or as different
user, again notice how your xinput can sniff all the
keystrokes you enter to this other app!
Yes, I can understand what is happening in your
mind and heart right now... Don't worry, others have
also passed through it. Feel free to hate me, throw
out insults at me, etc. I don't mind, really (I just won't
moderate them). When you calm down, continue
reading.
In Qubes the above problem doesn't exist, because
each domain (each AppVM) has it own local, isolated,
dummy X server. The main X server, that runs in
Dom0 and that handles the real display is never
exposed to any of the AppVMs directly (AppVMs
cannot connect to it via the X protocol). For details
see this technical overview.
You can repeat the same experiment in Qubes. You
just need to use the ID of the “qubesdev” device, as
shown by xinput list (should be 7). Run the xinput in
one of your domains, e.g. in the “red” one. Because
we actually use the same device for both mouse and
keystrokes, you should now see both the key
scancodes, as well as all the mouse events. Notice
how your xinput is able to sniff all the events that are
destined for other apps belonging to the same
domain where you run xinput, and how it is unable to
sniff anything targeted to other domains, or Dom0.
BTW, Windows is the only one mainstream OS I'm
aware of, that actually attempts to implement some
form of GUI-level isolation, starting from Windows
Vista. See e.g. this ancient article I wrote in the days
when I used Vista at my primary laptop. Of course,
it's still easy to bypass this isolation, because of the
huge interface that is exposed to each GUI client (that
also includes GPU API). Nevertheless, they at least
attempt to prevent this at the architecture level.

Real thoughts on Defcon 23

Hey, I hope everybody enjoys the intentionally ridiculous Amp Blasts post that I made about Defcon 23. The big theme I generally have for these posts is that they are based on elements of truth but made to be ridiculous to the point where it comes off as funny. With that in mind I figured that I should share my genuine thoughts about my experience with Defcon 23 as it was an important event for me for reasons different than most people.

Originally, I wasn't planning on going to Defcon due to the fact that I figured I had no legitimate incentive to go back due to how the event has inherently changed over the years. What changed though was that I gave my Elena (my girlfriend during Defcon, now my fiance) the choice on if she wanted to go to Vegas or not and that if we did it would be more of a general vacation which Defcon would just be one aspect of. I honestly didn't expect her to say yes to this so the end result was that I ended up back at Defcon. Overall, the sad reality though is that while I did enjoy that trip to Vegas as it afforded the opportunity for myself and Elena to take a much needed vacation, the reality is that for myself (along with Blake and other SX associates who attended the event) it was probably the least enjoyable Defcon overall.

Now, I'm going to state upfront one important reality about why this may be the case. When SX and many of its associates started to attend this event, we all did it during the Alexis Park era which was much more intimate. Thus I feel one thing that can be pointed out is that part of what happened may be the fact that there may be an element of nostalgia for some of us now for that era. However, this doesn't encompass the reasons that were stated though for feeling this way.

Amp Blasts: Defcon 23

Disclaimer: The following is intended to be an intentionally ridiculous post parodying internet rage. I hope everybody is able to enjoy this. Also, an actual post on my Defcon 23 experience will be posted shortly after this goes up as beyond this post I wanted to share my genuine thoughts on the event. I apologize for not writing this sooner as well.

I remember in 2000, Badger, Blake, and myself all walked into Defcon for the first time representing SX. It was a hell of an experience and gave us an opportunity to meet like-minded people which is something that due to the locations that the three of us came from, was extremely rare. In my case, I inadvertently became a part of the crew after making some flashwork and starting to write some tutorials so it was an inadvertent fluke which I am more than willing to admit to. Over the years me and Blake continued to attend Defcon, albeit infrequently and after Defcon 23, we both agreed that it fucking sucked.

Let's face it, we both already know that by becoming a bigger event and revamping to be more generally accessible we would face an element of idiocracy. However, it went far beyond what we saw from Defcon 21 and 22 by leaps and bounds. Splitting up the convention between two hotels and having people travel between them amongst non-con attendees was one of the worst decisions that was made by far. What was the thing that was beyond ridiculous though was that they have already confirmed that the same thing will be going on for Defcon 24 despite saying that they would have a better gameplan. I'm waiving a giant brown bullshit flag on this and I am not the only one.

About w0rm

So me. I am a high school student that loves to program and make things. My love for programming was started by my dad, who himself is an insane programmer, and a really smart guy. My first programming experience was back in 2007(I was 8 ), when my dad installed Flash MX on my computer. He installed flash on my computer just because he had another copy, and he thought that it would be fun thing for me to do. The first program I ever made(with my dad), was not your hello world program, but a program that did this:

In pseudocode:

int dog_number = 1;

while(dog < 10){
print("Dog" + dog_number + "chased the cat");
dog_number += 1;
}

At the time I thought it was such a dumb program. I was little, and I wanted to program games, not little programs that did apparently nothing. I wanted to do visual things, but my dad made me learn core actionscript. That did teach me an important lesson when I started to program games, as I knew the language in it's entirety when I moved on to making games. What he taught me was to learn the language, not just know enough to get by.

The first flash game that I made was dumb. It wasn't even a game. And I thought it was so cool. I made a little flash magic 8 ball. My first thing I did all by my self.

The next thing I got into was HTML, CSS, and JavaScript. After learning a lot, I tried to make a little webpage maker, that was in the browser. Long story short, I didn't think it through at all, but it did work. The web pages just looked really bad. My dad saw I was trying to make interactive web pages, so he installed WAMP server on my computer, so I could mess around with server side stuff. This was like when I was 10. PHP was really hard for me; so was SQL, and my next project that I worked on for a while was trying to make a simple forum from scratch. What it ended up being was a simple anonymous text bulletin board(I was to dumb to figure out how to make it so you could have users).

5.10.0

Thanks for all the hard work and effort being put in to this for feeble folks like me. We would not survive without peeps like the testers and everyone involved! Thank you, thank you, and thank you a thousand times. I know it is time consuming, so I want you all to know how much we appreciate it. Thanks.

Verzon.net Exploit PoC

Introduction
This is a Proof of Concept article describing a BlackBox pentest on a low-level target giving way to a High-level vulnerability in a big name company.

During Pre-engagement the target was identified only by BSSID and ESSID (great..one of those tests). The reinterpreted mission Scope: "Reconnect target 'without' brute-force or noisy network activity." The verbatim Scope: "Discover any possibilities of attacking victim or victims account status without using aggressive attack methods."

For this mission 'Wifi Hacking', 'Common Sense', & 'Possible Social Engineering' are at the disposal of the attacker.

You can read my notes at the end of this article

[disclaimer statement]

For obvious reasons detailed steps are omitted for sake of brevity and the safety of other innocent targets which are not aware of attacker activities. Please note: I am trained and authorized to perform these objectives disclosed in this article. I assume no responsibility for others attempting to reproduce the actions discussed in this article. If you are aware of the missing information, please be ethical in your actions.

As always, the information I provide in articles is purely for Educational purposes ONLY!

[/disclaimer statement]

Mission 1: Identify the Target

Identifying the target proved to be an easy task since the target is identified by BSSID and ESSID only. Naturally, a scan within range of the Pre-engagement site topped the list of 'to-dos'. To begin this objective Airmon-ng, Airodump-ng and Aircrack-ng are the tools of choice.

(Note: If you are unaware of the steps required to perform this attack, consult google. Describing the syntax and options used in a Wifi attack are beyond the scope of this article. This is not a tutorial)

//Airmon-ng succeeded in starting interface
//Airodump-g succeeded in displaying APs

Helping neophytes how to hack.

For the information of everybody I'm just a neophyte and I want to ask everybody to help me not just me but all neophytes how to hack. I know its craziest thing u heard helping someone who u do not know. but I just want to clarify that its not just all about helping but also sharing your knowledge to those who need the same kind knowledge u have.
I'll go directly to the point. I want to learn the basics of hacking and so on..I know you will say that "What if u better watch those video about hacking in Youtube or read it or search it on web." I'll answer to your question or suggestion that it better to teach somebody directly its faster and reliable to learn from someone's experience. thanks for reading this and please help us who need your help.

Kali Linux Commands Cheat Sheet BY-Hemant Vidholiya

Kali Linux commands cheat sheet. All basic commands from A to Z in Kali Linux has been listed below.
A

apropos : Search Help manual pages (man -k)
apt-get : Search for and install software packages (Debian/Ubuntu)
aptitude : Search for and install software packages (Debian/Ubuntu)
aspell : Spell Checker
awk : Find and Replace text, database sort/validate/index
B

basename : Strip directory and suffix from filenames
bash : GNU Bourne-Again SHell
bc : Arbitrary precision calculator language
bg : Send to background
break : Exit from a loop
builtin : Run a shell builtin
bzip2 : Compress or decompress named file(s)
C

cal : Display a calendar
case : Conditionally perform a command
cat : Concatenate and print (display) the content of files
cd : Change Directory
cfdisk : Partition table manipulator for Linux
chgrp : Change group ownership
chmod : Change access permissions
chown : Change file owner and group
chroot : Run a command with a different root directory
chkconfig : System services (runlevel)
cksum : Print CRC checksum and byte counts
clear : Clear terminal screen
cmp : Compare two files
comm : Compare two sorted files line by line
command : Run a command – ignoring shell functions •
continue : Resume the next iteration of a loop •
cp : Copy one or more files to another location
cron : Daemon to execute scheduled commands
crontab : Schedule a command to run at a later time
csplit : Split a file into context-determined pieces
cut : Divide a file into several parts
D

date : Display or change the date & time
dc : Desk Calculator
dd : Convert and copy a file, write disk headers, boot records
ddrescue : Data recovery tool
declare : Declare variables and give them attributes •
df : Display free disk space
diff : Display the differences between two files
diff3 : Show differences among three files
dig : DNS lookup
dir : Briefly list directory contents
dircolors : Colour setup for `ls’
dirname : Convert a full pathname to just a path
dirs : Display list of remembered directories
dmesg : Print kernel & driver messages
du : Estimate file space usage
E

echo : Display message on screen •
egrep : Search file(s) for lines that match an extended expression
eject : Eject removable media
enable : Enable and disable builtin shell commands •
env : Environment variables
ethtool : Ethernet card settings
eval : Evaluate several commands/arguments
exec : Execute a command
exit : Exit the shell
expect : Automate arbitrary applications accessed over a terminal
expand : Convert tabs to spaces
export : Set an environment variable
expr : Evaluate expressions
F

false : Do nothing, unsuccessfully
fdformat : Low-level format a floppy disk
fdisk : Partition table manipulator for Linux
fg : Send job to foreground
fgrep : Search file(s) for lines that match a fixed string
file : Determine file type
find : Search for files that meet a desired criteria
fmt : Reformat paragraph text
fold : Wrap text to fit a specified width.
for : Expand words, and execute commands
format : Format disks or tapes
free : Display memory usage
fsck : File system consistency check and repair
ftp : File Transfer Protocol
function : Define Function Macros
fuser : Identify/kill the process that is accessing a file
G

gawk : Find and Replace text within file(s)
getopts : Parse positional parameters
grep : Search file(s) for lines that match a given pattern
groupadd : Add a user security group
groupdel : Delete a group
groupmod : Modify a group
groups : Print group names a user is in
gzip : Compress or decompress named file(s)
H

hash : Remember the full pathname of a name argument
head : Output the first part of file(s)
help : Display help for a built-in command
history : Command History
hostname : Print or set system name
I

iconv : Convert the character set of a file
id : Print user and group id’s
if : Conditionally perform a command
ifconfig : Configure a network interface
ifdown : Stop a network interface
ifup : Start a network interface up
import : Capture an X server screen and save the image to file
install : Copy files and set attributes
J

jobs : List active jobs
join : Join lines on a common field
K

kill : Stop a process from running
killall : Kill processes by name
L

less : Display output one screen at a time
let : Perform arithmetic on shell variables
ln : Create a symbolic link to a file
local : Create variables
locate : Find files
logname : Print current login name
logout : Exit a login shell
look : Display lines beginning with a given string
lpc : Line printer control program
lpr : Off line print
lprint : Print a file
lprintd : Abort a print job
lprintq : List the print queue
lprm : Remove jobs from the print queue
ls : List information about file(s)
lsof : List open files
M

make : Recompile a group of programs
man : Help manual
mkdir : Create new folder(s)
mkfifo : Make FIFOs (named pipes)
mkisofs : Create an hybrid ISO9660/JOLIET/HFS filesystem
mknod : Make block or character special files
more : Display output one screen at a time
mount : Mount a file system
mtools : Manipulate MS-DOS files
mtr : Network diagnostics (traceroute/ping)
mv : Move or rename files or directories
mmv : Mass Move and rename (files)
N

netstat : Networking information
nice Set : the priority of a command or job
nl Number : lines and write files
nohup : Run a command immune to hangups
notify-send : Send desktop notifications
nslookup : Query Internet name servers interactively
O

open : Open a file in its default application
op : Operator access
P

passwd : Modify a user password
paste : Merge lines of files
pathchk : Check file name portability
ping : Test a network connection
pkill : Stop processes from running
popd : Restore the previous value of the current directory
pr : Prepare files for printing
printcap : Printer capability database
printenv : Print environment variables
printf : Format and print data •
ps : Process status
pushd : Save and then change the current directory
pwd : Print Working Directory
Q

quota : Display disk usage and limits
quotacheck : Scan a file system for disk usage
quotactl : Set disk quotas
R

ram : ram disk device
rcp : Copy files between two machines
read : Read a line from standard input
readarray : Read from stdin into an array variable
readonly : Mark variables/functions as readonly
reboot : Reboot the system
rename : Rename files
renice : Alter priority of running processes
remsync : Synchronize remote files via email
return : Exit a shell function
rev : Reverse lines of a file
rm : Remove files
rmdir : Remove folder(s)
rsync : Remote file copy (Synchronize file trees)
S

screen : Multiplex terminal, run remote shells via ssh
scp : Secure copy (remote file copy)
sdiff : Merge two files interactively
sed : Stream Editor
select : Accept keyboard input
seq : Print numeric sequences
set: Manipulate shell variables and functions
sftp : Secure File Transfer Program
shift : Shift positional parameters
shopt : Shell Options
shutdown : Shutdown or restart linux
sleep : Delay for a specified time
slocate : Find files
sort : Sort text files
source : Run commands from a file `.’
split : Split a file into fixed-size pieces
ssh : Secure Shell client (remote login program)
strace : Trace system calls and signals
su : Substitute user identity
sudo : Execute a command as another user
sum : Print a checksum for a file
suspend : Suspend execution of this shell
symlink : Make a new name for a file
sync : Synchronize data on disk with memory
T

tail : Output the last part of file
tar : Tape ARchiver
tee : Redirect output to multiple files
test : Evaluate a conditional expression
time : Measure Program running time
times : User and system times
touch : Change file timestamps
top : List processes running on the system
traceroute : Trace Route to Host
trap : Run a command when a signal is set(bourne)
tr : Translate, squeeze, and/or delete characters
true : Do nothing, successfully
tsort : Topological sort
tty : Print filename of terminal on stdin
type : Describe a command
U

ulimit : Limit user resources
umask : Users file creation mask
umount : Unmount a device
unalias : Remove an alias
uname : Print system information
unexpand : Convert spaces to tabs
uniq : Uniquify files
units : Convert units from one scale to another
unset : Remove variable or function names
unshar : Unpack shell archive scripts
until : Execute commands (until error)
uptime : Show uptime
useradd : Create new user account
userdel : Delete a user account
usermod : Modify user account
users : List users currently logged in
uuencode : Encode a binary file
uudecode : Decode a file created by uuencode
V

v : Verbosely list directory contents (`ls -l -b’)
vdir : Verbosely list directory contents (`ls -l -b’)
vi : Text Editor
vmstat : Report virtual memory statistics
W

wait : Wait for a process to complete
watch : Execute/display a program periodically
wc : Print byte, word, and line counts
whereis : Search the user’s $path, man pages and source files for a program
which : Search the user’s $path for a program file
while : Execute commands
who : Print all usernames currently logged in
whoami : Print the current user id and name (`id -un’)
wget : Retrieve web pages or files via HTTP, HTTPS or FTP
write : Send a message to another user
x

xargs : Execute utility, passing constructed argument list(s)
xdg-open : Open a file or URL in the user’s preferred application.

Content updates

Since I've been unavailable due to being at Defcon, I figure I would give a quick update on what is coming down the pipeline. First off, I will be continuing to revise the HDB as necessary. In addition to this, I also will have to get back to work on some other projects for the group (OFACE being one of them) and some more behind the scenes work. The big thing is that I typically do an annual recap about Defcon. This year though.... I've decided to handle it differently as it will be a "blasts" post along with an afterword containing some real thoughts and concerns!

adherence

to err is human, to forgive is divine Wink

Syndicate content