home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: alt.security,alt.sources.patches,alt.sources
- From: nyh@leibniz.WPI.EDU (Nevo Y Hed)
- Subject: Xterm security patch ...
- Message-ID: <1992May7.070930.5399@wpi.WPI.EDU>
- Organization: Worcester Polytechnic Institute
- Date: Thu, 7 May 1992 07:09:30 GMT
-
-
-
- [ I have posted this article about a week ago. Due to problems with the
- local news server it was detained so long that I belive it was purged
- before it's delivery. If I am wrong and this is a repost - pleas excuse
- me.]
-
-
- Many of us know that X11 and security don't go together very
- well. However, with a standard MIT X11 distribution or with the DEC X
- stuff, it is very easy for one to write a spying program (which I did)
- that can read every keypress someone else makes. Later, I was told
- that similar code appeared at one point on some hack newsgroup and a
- friend also wrote a similar program and plans to post it a week or so
- after I post this.
-
-
- Now down to business; The sensitive information one could get
- with such a spying program would be passwords. So xterm and dxterm
- have a menu option to protect the keyboard (using XGrabKeyboard(),
- only one application can use XGrabKeyborad at the same time).
- However, it is a real pain to activate this feature, and most people
- don't even know it's a problem. That's why I came up with this
- patch to xterm (it only modifies the Xterm sources slightly).
-
-
- When the string "Password:" arrives at the screen (currently
- ignoring case) the (already existing) xterm's secure keyboard feature
- is enabled until the next linefeed.
-
- This feature can be disabled via menu and/or X resources as
- well as the password promprt, see manpage.
-
- This technique will work for most applications that require a
- password. Of course it isn't foolproof, and some versions of ftp will
- prompt for a password with a non-standard string, which bypasses this
- check. There is a poossible workaround for this though, and you can
- check the manpage in the archive.
-
-
- Anyway, this has been running on our CS lab machines for a
- while with no complaints. The main benefit is that sxterm raises user
- awareness.
-
-
- You can ftp the archive, sxterm.tar.Z [all sources for the
- patched xterm] via anon-ftp on homeboy.wpi.edu /pub/sxterm.tar.Z and
- possibly from some other wpi machines such as [coyote|fledgling|
- hilbert|newton].wpi.edu at /contrib/sxterm.tar.Z.
-
-
-
- Only minor changes were made to the original Xterm source, so
- I would recommend that you replace the original with this "fixed"
- version. Be sure to read README.PATCH and the manpage under "PATCH
- NOTES".
-
-
- Feel free to post the diffs (I sorta lost my origs) and feel
- free to modify the method in which the password prompt is detected -
- but be aware that you cannot detect the echo disabling of the
- application running in xterm. The current method may seem
- inefficient, but no apparent slowdown can be detected by the user.
-
-
-
- P.S. In case you don't think this is a problem, one our sysadmins had
- his password grabbed on the first try with absolutely no traces nor
- indication that it had happened. This is a real problem.
-
-
- P.S #2 if you have your home-brew X login screen make sure you
- XGrabServer()...
- --
- +-----------------+
- | Nevo Y Hed |
- | Internet: |
- | nyh@wpi.wpi.edu |
- | |
- |++1 (508)754-2491|
- +-----------------+
-
-
-
