lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87psv784sw.fsf@deneb.enyo.de>
Date: Tue, 31 May 2005 23:27:11 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: security-announce@...ts.enyo.de, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: Reminder: XGrabKeyboard is not a security
	interface


Some application authors assume that the XGrabKeyboard function can be
used to obtain exclusive access to the keyboard, to prevent other X11
clients on the same display from eavesdropping key presses (such as
passwords).  It's been known for some time that this is not the case
(for example, Casper H.S. Dik mentioned this in a November 1994
posting, <3afddh$1hq@...l.fwi.uva.nl>): clients can poll the keyboard
using XQueryKeymap.  A tool called "xspy" demonstrates this.

Recent versions of the xterm manpage contain a carefully worded
warning at the end of the paragraph quoted below:

| The xterm menu (see MENUS above) contains a Secure Keyboard entry
| which, when enabled, attempts to ensure that all keyboard input is
| directed only to xterm (using the GrabKeyboard protocol request).
| When an application prompts you for a password (or other sensitive
| data), you can enable Secure Keyboard using the menu, type in the
| data, and then disable Secure Keyboard using the menu again.  This
| ensures that you know which window is accepting your keystrokes.  It
| cannot ensure that there are no processes which have access to your
| X display that might be observing the keystrokes as well.

But there are other applications (quintuple-agent, to name just one)
whose documentation or source code indicates that the authors think
that XGrabKeyboard prevents keyboard sniffing from other X clients.
It doesn't, and end user documentation should not suggest that it is
safe to run trusted and untrusted clients on the same X11 display.

The X Security Extension prevents the use of XQueryKeymap by
non-trusted clients.  However, little beyond that is known about its
effectiveness.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ