Full Report
In this blog post we are going to describe some tools we created to find and exploit unauthenticated X Windows sessions. We recently presented these at BSides Cape Town. What is X11? X also known as the X Window System is currently in its 11th version, hence the name X11. X is a basic windowing system which provides a framework for drawing and moving windows on a display device as well as interaction with a mouse and keyboard. X uses a client-server model, with the server being the computer running in front of a human user and the X client applications running anywhere on the network. This contradicts the normal view of a client-server model, where the server is running at a remote location and the client is running in front of the user. In short, X plays a central role in displaying graphical windows on a users terminal. The major use of X is for administering remote machines graphically (similar to a remote desktop session), however X only displays one window at a time. An example being an xterm (terminal) window.
Analysis Summary
# Tool/Technique: XRDP (and associated X11 exploitation tools)
## Overview
XRDP, in this context, is a Python-based tool developed to streamline the exploitation of unauthenticated X Windows System (X11) sessions. It wraps several individual X11 utilities (`xwininfo`, `xwd`, `xdotool`, and potentially `xwatchwin`) to automate the process of gaining remote visibility and control (command execution) over a compromised graphical session running on an X server host.
## Technical Details
- Type: Tool
- Platform: Linux/Unix-like systems running the X Window System (X11). Relies on standard X utilities being available.
- Capabilities: Enumeration of X windows, screen capture/dumping, simulation of keyboard/mouse input, transparent overlay creation for interactive control.
- First Seen: December 2016 (Date of article/presentation).
## MITRE ATT&CK Mapping
The primary focus of this technique is gaining initial access or executing commands via a commonly misconfigured service.
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- *Mapping Rationale: Exploiting a service (X11 forwarding) configured insecurely on an internet-accessible host.*
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- *Mapping Rationale: Using utilities like `xwininfo` to gather details about the active desktop environment.*
- **TA0005 - Defense Evasion** (If associated tools like `xwatchwin` help maintain persistent visibility without triggering immediate alarms)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- *Mapping Rationale: Using `xdotool` to simulate input ultimately leads to interactive command execution.*
## Functionality
### Core Capabilities
- **Vulnerability Identification:** Leveraging scanners (like custom Nmap scripts) to check for open X11 ports (ports 6000+) that allow unauthenticated connections (`xhost +` configuration).
- **Display Enumeration:** Uses `xwininfo` to query the display and identify the root window ID.
- **Screen Viewing:** Utilizes components (like modified `xwatchwin`) to provide an updating view (screenshot) of the remote X display.
- **Input Simulation:** Employs `xdotool` to programmatically simulate keyboard and mouse activity for remote control.
### Advanced Features
- **Session Reversal:** The distinct capability of controlling the 'server' machine's graphical output (the administrative host) rather than having the client machine display its output remotely.
- **Interactive Overlay:** Uses pyGTK to create a transparent overlay that allows the attacker’s input to correctly interact with the remote desktop displayed on their local machine.
- **Screensaver Management:** An 'unsafe' flag in the associated Nmap script can temporarily disable the target's screensaver during reconnaissance to ensure a clear view for screenshotting.
## Indicators of Compromise
Since the tools described are custom exploitation frameworks built around common system utilities, there are no specified malware artifacts. IOCs focus on the configuration leading to exploitation and network activity.
- File Hashes: N/A (Relies on existing binaries: `xwininfo`, `xwd`, `xdotool`, `lightdm`, Python/pyGTK components).
- File Names: `xrdp` (The name of the wrapper package/toolset), Nmap script outputs.
- Registry Keys: Not directly applicable (Focus is on Linux/Unix X setup).
- Network Indicators: Connection attempts/traffic directed towards standard **X11 ports (TCP 6000 - 6063)**, especially on hosts with accessible firewalls.
- Behavioral Indicators: Execution sequences involving running `xhost +`, starting X servers with `xserver-allow-tcp=true`, or intensive querying of X display ports followed by graphical interaction attempts.
## Associated Threat Actors
The tools were created and presented by SensePost researchers (Darryn Cull). The article does not attribute usage by known major threat actor groups, suggesting this represents novel red team or penetration testing TTPs leveraging insecure default configurations.
## Detection Methods
Detection focuses on the insecure service configuration and the resulting unauthorized network traffic pattern.
- Signature-based detection: Signatures for specific network traffic patterns indicative of X11 session probing or connection establishment using non-standard application-layer protocols (if XRDP wrapper protocol signature is captured).
- Behavioral detection: Monitoring for system state changes that indicate vulnerability establishment (e.g., modification of `/etc/lightdm/lightdm.conf` to set `xserver-allow-tcp=true`, followed by execution of `xhost +`). Detect unusual network traffic on ports 6000+.
- YARA rules: Not specified in the provided text, but could target custom scripts found in the repository.
## Mitigation Strategies
Mitigation focuses on correctly configuring and securing the X11 service instead of relying on weak authentication.
- Prevention measures: Ensure X server access control is *always* enabled (e.g., using MIT magic cookie authentication or user-based auth instead of relying solely on IP ACLs).
- Hardening recommendations: Do not allow connections from unknown or untrusted hosts. Disable TCP by default unless strictly necessary, and if enabled, ensure strong authentication mechanisms are enforced. Check firewall rules to restrict X11 port access to authorized internal networks only. Disable unnecessary remote desktop or graphical administration services.
## Related Tools/Techniques
- **Manual X11 Exploitation Tools:** `xwininfo`, `xwd`, `xdotool`, `xwatchwin`.
- **Discovery Tools:** Nmap (used with custom scripts to check ports and vulnerability status), Masscan (used for large-scale port scanning).
- **Related Vulnerable Services:** VNC, RDP (other graphical remote access protocols that can be exploited if poorly configured).