backdooring x11 with class
play

Backdooring X11 with class Matias Katz @matiaskatz - PowerPoint PPT Presentation

Jan 12, 2023 •334 likes •742 views

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org An idea back in 1995... Locking a computer using hardware An idea back in

  1. Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com

  2. Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org

  3. An idea back in 1995... Locking a computer using hardware

  4. An idea back in 1995... 2 steps: 1) Find a way to read a device 2) Find a way to lock a computer

  5. An idea back in 1995... Step 1 Filesystem? NO UUID? YES

  6. Reading the device 2 steps: 1) “/dev/disk/by-id/” enrollment 2) Check if present each 0.1s

  7. Locking the computer Step 2 DBUS

  8. Locking the computer DBUS: - IPC software - Apps communication - SW and HW interruptions

  9. Locking the computer DBUS: - Runs with privileges - Speaks directly to the kernel - Available in most X Display Managers

  10. Demo “locker.py”

  11. What else to do - Sound alarm - Email certain data - Power off - Delete private keys - Encrypt certain files - Shred entire disk

  12. And then I thought... Can I unlock a computer using the same method?

  13. Generating a Backdoor

  14. Unlocking a computer 2 steps: 1) Find a way to unlock a computer 2) Trigger the unlock

  15. A good backdoor 2 main features: 1) Leave small traces 2) Have a stealth trigger

  16. Unlocking a computer Unlocking computer leaving small traces: Binaries? NO Rootkits? NO OS features? YES

  17. Unlocking a computer Unlocking computer leaving small traces: DBUS :)

  18. Unlocking a computer Stealth trigger to unlock: - Not checked by AVs - Execution without suspicion - Available in all computers

  19. Unlocking a computer Stealth trigger to unlock: Keystrokes? NO Open port? NO Hardware? YES

  20. Hardware change Stealth hardware trigger: - Respond while locked - OS must not interfere - Cannot be disruptive

  21. Hardware change Network Connection? NO Screen brightness? NO Power input? NO

  22. So?

  23. Audio Jack :)

  24. Playing with audio jack - Mechanic detection - Notifies the OS - Who checks that?

  25. Playing with audio jack 2 steps: 1) Read “/proc/asound/card0/codec#0” 2) Check for changes

  26. Playing with audio jack Demo “jack.py” (Warning: Playing with the audio jack could damage it)

  27. Playing with audio jack Small problem: What if the victim wants to use the headphones?

  28. Playing with audio jack Simple solution: Create a pattern

  29. Playing with audio jack 2 steps: 1) Set checks each 1s, like “01110” 2) Replicate that with the headphones

  30. Unlocking the computer Demo “back2.2.py”

  31. The aftertaste How to mitigate it? - Remove Dbus (nope) - Disable screen lock (ugly but ok) - Switch to a minimal XDM (ok)

  32. The aftertaste Do you have to run it beforehand? YES (that's why it's called a “backdoor” :D)

  33. The aftertaste Can it be persistent? YES (rc.local)

  34. The aftertaste How big is it? 20 lines (dirty) 1 line (nice)

  35. The aftertaste What's so good about it? - NO Opcodes - Undetectable

  36. The aftertaste >>> import dbus >>> >>> import dbus Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named dbus >>>

  37. The aftertaste Can you do it to 'root' ? YES (but...)

  38. The aftertaste Can you do it on Windows ? YES - WinDBus - COM / RPC / DDE

  39. The aftertaste Can you Shellshock it ? HELL YEAH (however..) (Thanks Chino for the idea and Nutrix for the help implementing)

  40. Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet &amp; Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

658 views • 43 slides
Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian) DISCLAIMER We are not terrorists . We won't release our PoC backdoor. The x86 architecture is plagued by legacy. Governments know.

525 views • 37 slides
The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

327 views • 30 slides
Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who

Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who

Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who first became an active member of PSERS on or after July 1, 2019, you are automatically enrolled as a Class TG member. Class TG is a hybrid of both

538 views • 17 slides
First-Class Values A value is first-class if it satisfies all of these properties: First-Class

First-Class Values A value is first-class if it satisfies all of these properties: First-Class

First-Class Values A value is first-class if it satisfies all of these properties: First-Class Functions in Racket It can be named by a variable It can be passed as an argument to a function; It can be returned as the result of a

341 views • 3 slides
TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving

TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving

TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving Terms Linear Dispersion Coupling Chromatic Beating Conclusion To do TwissOptics Class 3 The TwissOptics Class TwissOptics Class 4 New class

450 views • 24 slides
Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use

Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use

Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use object composition . Class A will have a field (variable) of class B in its implementation. When class A is a specific kind of another class B,

700 views • 12 slides
Class Specifications } A class diagram only gives a sketch of that class } More detail is

Class Specifications } A class diagram only gives a sketch of that class } More detail is

Class Specifications } A class diagram only gives a sketch of that class } More detail is given by the full specification of a class } Every useful Java class should have such a specification } When you write code, its up to you to create

64 views • 4 slides
CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 16 Class Overview

344 views • 17 slides
CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 14 Class Overview

436 views • 15 slides
CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class

CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class

CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 11 Class Overview

515 views • 12 slides
Previous*Courses Digital*Logic*Design Boolean*Algebra

Previous*Courses Digital*Logic*Design Boolean*Algebra

Preliminary*Information Instructor*Introduction Class*Policies Disabilities/Religious*Holidays Cheating/Copying Class*Web*Site Class*Notes Class*Schedule Laboratories

795 views • 18 slides
The header file is a class declaration class Dice What the class looks like, but now how it

The header file is a class declaration class Dice What the class looks like, but now how it

Classes: From Use to Implementation Anatomy of the Dice class The class Dice, need #include &quot; dice.h &quot; Weve used several classes, a class is a collection of objects sharing similar characteristics Objects: six-sided dice,

299 views • 8 slides
Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS

Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS

Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS report CLASS Webinar Series -Scope &amp; Sequence Title Description Why the DECE uses the CLASS tool What the CLASS tool measures CLASS 101

447 views • 41 slides
Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is

Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is

Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is the separation of class implementation details from the use of the class. The class creator provides a description of the class to let users know

420 views • 24 slides
Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly

Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly

Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly braces of another class, but outside any method or other code block. An inner class is a full-fledged member of the enclosing (outer) class, so it can

381 views • 6 slides
Welcome The webinar will begin shortly Welcome! Remigijus Lapinskas President, World

Welcome The webinar will begin shortly Welcome! Remigijus Lapinskas President, World

Welcome The webinar will begin shortly Welcome! Remigijus Lapinskas President, World Bioenergy Association Moderator Africa-EU Renewable Energy Cooperation Programme (RECP) A European Platform for Private Sector Investments in Africas

1.18k views • 89 slides
The Unix Spirit set Free: Plan 9 from Bell Labs Uriel uriel@cat-v.org The most common question

The Unix Spirit set Free: Plan 9 from Bell Labs Uriel uriel@cat-v.org The most common question

The Unix Spirit set Free: Plan 9 from Bell Labs Uriel uriel@cat-v.org The most common question about Plan 9 Is Plan 9 Free Software/Open Source? Yes! Latest Plan 9 license is considered Free Software by RMS and the FSF. Considered Open

910 views • 33 slides
CSN08101 Digital Forensics Lecture 6: Acquisition Lecture 6: Acquisition Module Leader: Dr

CSN08101 Digital Forensics Lecture 6: Acquisition Lecture 6: Acquisition Module Leader: Dr

CSN08101 Digital Forensics Lecture 6: Acquisition Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data

693 views • 36 slides
X N x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique

X N x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique

X N x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique Sebastian Krahmer krahmer@suse.de September 28, 2005 - Abstract The x86-64 CPU platform (i.e. AMD64 or Hammer) introduces new features to protect against

627 views • 20 slides
Exceptional Customer Experience Yes! It Can Happen in HR! Lei Lonni Giroux Acting Director,

Exceptional Customer Experience Yes! It Can Happen in HR! Lei Lonni Giroux Acting Director,

Exceptional Customer Experience Yes! It Can Happen in HR! Lei Lonni Giroux Acting Director, Talent Acquisition Group Office of Human Capital Centers for Medicare &amp; Medicaid Services 2 Hows the Aftertaste?... You have to pay the

665 views • 15 slides
Recommendations, Activities, and Behavior Feb 9, 2018 Julian McAuley Where are recommender

Recommendations, Activities, and Behavior Feb 9, 2018 Julian McAuley Where are recommender

Structured Output Models of Recommendations, Activities, and Behavior Feb 9, 2018 Julian McAuley Where are recommender systems used? What do recommender systems do? (preference modeling) $ (pricing) (retrieval) What could recommender

463 views • 45 slides
Misuse of statistics in cigarette advertisement From Data to Insight Dr. etinkaya-Rundel July

Misuse of statistics in cigarette advertisement From Data to Insight Dr. etinkaya-Rundel July

Misuse of statistics in cigarette advertisement From Data to Insight Dr. etinkaya-Rundel July 12, 2016 Recap Brandt: there is no single gold standard of disease causality. What is the reason behind this claim? Clinical

298 views • 29 slides
Delirium A. Acute onset and fluctuating course B. Inattention C. Disorganized thinking

Delirium A. Acute onset and fluctuating course B. Inattention C. Disorganized thinking

10/20/17 Disclosure Palliative Care Pearls for the Hospitalist I published a book: Steven Pantilat, MD Life After the Diagnosis: Expert Advice Kates-Burnard and Hellman Distinguished on Living Well with Serious Illness for Professor in

597 views • 7 slides

More recommend