This Teddy Bear Steals Your Ubuntu Secrets

Ubuntu just came out with the new long-term support version of their desktop Linux operating system. It’s got a few newish features, including incorporating the “snap” package management format. One of the claims about “snaps” is that they’re more secure — being installed read-only and essentially self-contained makes them harder to hack across applications. In principle.

[mjg59] took issue with their claims of increased cross-application security. And rather than just moan, he patched together an exploit that’s disguised as a lovable teddy bear. The central flaw is something like twenty years old now; X11 has no sense of permissions and any X11 application can listen in on the keyboard and mouse at any time, regardless of which application the user thinks they’re providing input to. This makes writing keylogging and command-insertion trojans effortless, which is just what [mjg59] did. You can download a harmless version of the demo at [mjg59]’s GitHub.

This flaw in X11 is well-known. In some sense, there’s nothing new here. It’s only in light of Ubuntu’s claim of cross-application security that it’s interesting to bring this up again.

xeyes

And the teddy bear in question? Xteddy dates back from when it was cool to display a static image in a window on a workstation computer. It’s like a warmer, cuddlier version of Xeyes. Except it just sits there. Or, in [mjg59]’s version, it records your keystrokes and uploads your passwords to shady underground characters or TLAs.

We discussed Snappy Core for IoT devices previously, and we think it’s a step in the right direction towards building a system where all the moving parts are only loosely connected to each other, which makes upgrading part of your system possible without upgrading (or downgrading) the whole thing. It probably does enhance security when coupled with a newer display manager like Mir or Wayland. But as [mjg59] pointed out, “snaps” alone don’t patch up X11’s security holes.

20 thoughts on “This Teddy Bear Steals Your Ubuntu Secrets

  1. “X11 has no sense of permissions” This is completely false.

    X11 is not fundamentally insecure. In fact, X11 had the security infrastructure to shield clients from each other for a long time. It is just not used and also has been neglected because most distros set everything up as wide open. The fault is not with X11 the fault is with Ubuntu,CentOS,RedHat,etc… as the distros are not using the built in security that can and will keep bad applications from snooping in on each other. And honestly it’s not a “giant security hole” as you have to run the application and if you are downloading random things and running them without making sure they are trusted, you have far more problems in your system than X11.

    Lastly different processes of the same user are not shielded against each other on Linux anyway, so I can easily snoop all that stuff directly without X11 running. But then the same can be done under any OS if the evil code is running as the user, it can watch the user.

    With respect to clients and or processes of the same user, X is fundamentally much more secure than Unix has ever been.

    1. “and if you are downloading random things and running them without making sure they are trusted, you have far more problems in your system than X11.”

      What else can you do if the software you want isn’t in the central repository, and you’re an ordinary user without any understanding over source code?

      You want to be able to download software, but you haven’t actually got the competence to tell whether it’s safe, and the distro lords can’t keep supplying you with everything you could possibly want – not even close.

      1. Yup totally agree. I’ve been on the net since the bulletin board days in the early 90s. Never brought a virus checker, only have what the OS offers. I have never had a virus. This is because I never go around downloading random apps. Trusted sources only for me. Seem far too many PC’s OS installs broken by virus checkers, never seen one broken by a virus.

          1. You can scan for viruses without installing an anti-virus suite.

            He’s right. Most AV software is crap, and even the best don’t actually do shit. Most of the time all it manages to do is slow a computer down to a crawl and cause weird glitches/crashes with the OS by trying to be too clever, and sometimes breaks it entirely. Norton/McAfee especially is about as bad as the malware itself in messing up your stuff, and it even spreads like malware because it’s sideloaded with many many popular apps.

            It only really works against the traditional bonzi-buddy stuff where you have to download some .exe and run it – the other exploits come through your web browser or some other software that the AV doesn’t even check because it’s already running as a trusted service. Stuff like Flash exploits.

            So the moral of the story is that you’re crippling your computer running AV software that doesn’t protect you from viruses/malware, while the only real solution is just common sense: don’t download untrusted software and don’t visit dubious websites with flash etc. running by default.

          1. I’ve had one virus, which I both knew was probably a bad file but trusted virus scanners. I’d gotten a copy of a 5 or 8 year old computer game, and needed a keygen or file crack. For what ever reason, the file that came along with a text list of keys, well I ran it. Noticed that most of my favorite websites popped open some pop-ups, none of the addresses in links showed up right. Checked my proxy settings, and they were all kinds of wrong. Reset them, reboot, and they were back to wrong again. Use some short google searching to narrow down the virus, find the registry keys and files it used, and nuked it.

            Then reformatted just to be certain. Was the last game I pirated; not because of the virus, just got bored of it.

            So other than one file where I trusted the local running AV to protect me, I’ve not been hit either. uMatrix configured to whitelist sites like HaD and others, while blocking Flash and tracking cookies, or just NoScript-like stuff blocking Flash and JS. It’s not hard to avoid the drive-by virus vectors.

          2. That’s not necessarily the case. If you use an uncommon platform, say OpenBSD or WebOS, then you’re in too small a pool to be interesting for the virus writers. It also helps not opening every silly e-mail you get with an attachment. It helps more, if you use an e-mail reader, which doesn’t execute code just because the attachment is executable (and not marked in a user-visible way as such). It also helps avoiding stupid software like Acrobat Reader which implements a JavaScript engine (what could possibly go wrong?) or Flash, etc. . Have I ever be hacked? Can’t say for sure, but that would be by a clever hacker, not an off-the-shelf virus and I doubt those have interest in me.

        1. The only virus I’ve ever had on a personal computer found its way in via an infected (commercially made/sold) game CD. The computer pressing copies of the CD had gotten infected, so every disk made after that was infected.

  2. I’m not sure I understand the point he is trying to make, they’re not saying “snaps fixes this x11 problem” there just saying it’s more secure, albeit vague. He just pointed out a problem that was around before snaps, and tries to make a big deal that snaps didn’t fix the problem? Why target Ubuntu and snaps when the same can be said of tons of other distros? Seems like he had a personal vendetta to me.

    1. Re: Personal vendetta — I think that’s absolutely true. There are a number of people who grumble, repeatedly, loudly against the openness vs security tradeoffs made by X11 (@Timothy Gray: as it is configured in most major distros).

      Canonical/Ubuntu _did_ claim that their snaps isolate one application from another. And while that’s true in that they’re not sharing linked libraries, the point of this app is that isn’t enough.

    2. There has been a vocal group of security researchers that have been complaining that without full application sandboxing, Linux is horribly insecure. So Canonical (Ubuntu) and Red Hat are championing different approaches to smartphone-style app distribution/management.

      [mjg] has been involved in vetting the security model of xdg-apps, which is the Gnome/Red Hat/freedesktop.org solution. xevilteddy is a proof of concept to make the case that xdg-apps is better.

      Now, this ties back into the broader debate that the Linux community is going through about who defines the core that all Linux distributions must follow. There are three major camps: Canonical (Ubuntu) sets the policy, Red Hat sets the policy, and business as usual (distros do their own thing).

      The end result of Canonical or Red Hat prevailing is that all other distros become just branding on top of their core OS.

      This is why Canonical and Red Hat have been having public fights to replace parts of the classical Linux stack. Upstart and systemd for sysvinit. (Red Hat won.) Mir and Wayland for X11. (Red Hat is probably going to win again.) Snaps and xdg-apps for traditional package management. (Hopefully neither, but likely Red Hat.)

  3. Snap packages seem like a good idea.Naturally new innovations need time to bear all of their fruits. I’m happy to see Ubuntu innovating and trying to provide its users with something new. There’s also Arch and the AUR as well as openSuse build system, they all try to fix problems/flaws with traditional package management systems.

    I personally prefer to use Debian on the Desktop and server. I use Debian stable almost exclusively while flirting with Debian Testing from time to time and using Win10 occasionally for gaming.

  4. Ugh.

    So.. once I am protected from programs that I chose to download and run, you know.. once I my computer is a propper nanny what am I going to lose? Aren’t there times when I will want one running application to monitor the keyboard and/or mouse while another one is active?

    How about setting hot keys?
    If one program cannot monitor the keyboard/mouse while another is active can it at least send keyboard/mouse events to the active program? Or is the goal to make scripting of gui applications impossible?

    Not really related to the keyboard/mouse stuff but in the brave new sandboxed world can I even take a screen capture? I might be a moron that downloaded something stupid and it might send screen captures of my banking screen to Nigeria or something!

    I’m really sick of security gurus telling us all that they know what is best for us without any consideration of what we might actually want our computers to do.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.