backdooring x11 with class
play

Backdooring X11 with class Matias Katz @matiaskatz - PowerPoint PPT Presentation

Jan 12, 2023 •334 likes •742 views

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org An idea back in 1995... Locking a computer using hardware An idea back in

  1. Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com

  2. Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org

  3. An idea back in 1995... Locking a computer using hardware

  4. An idea back in 1995... 2 steps: 1) Find a way to read a device 2) Find a way to lock a computer

  5. An idea back in 1995... Step 1 Filesystem? NO UUID? YES

  6. Reading the device 2 steps: 1) “/dev/disk/by-id/” enrollment 2) Check if present each 0.1s

  7. Locking the computer Step 2 DBUS

  8. Locking the computer DBUS: - IPC software - Apps communication - SW and HW interruptions

  9. Locking the computer DBUS: - Runs with privileges - Speaks directly to the kernel - Available in most X Display Managers

  10. Demo “locker.py”

  11. What else to do - Sound alarm - Email certain data - Power off - Delete private keys - Encrypt certain files - Shred entire disk

  12. And then I thought... Can I unlock a computer using the same method?

  13. Generating a Backdoor

  14. Unlocking a computer 2 steps: 1) Find a way to unlock a computer 2) Trigger the unlock

  15. A good backdoor 2 main features: 1) Leave small traces 2) Have a stealth trigger

  16. Unlocking a computer Unlocking computer leaving small traces: Binaries? NO Rootkits? NO OS features? YES

  17. Unlocking a computer Unlocking computer leaving small traces: DBUS :)

  18. Unlocking a computer Stealth trigger to unlock: - Not checked by AVs - Execution without suspicion - Available in all computers

  19. Unlocking a computer Stealth trigger to unlock: Keystrokes? NO Open port? NO Hardware? YES

  20. Hardware change Stealth hardware trigger: - Respond while locked - OS must not interfere - Cannot be disruptive

  21. Hardware change Network Connection? NO Screen brightness? NO Power input? NO

  22. So?

  23. Audio Jack :)

  24. Playing with audio jack - Mechanic detection - Notifies the OS - Who checks that?

  25. Playing with audio jack 2 steps: 1) Read “/proc/asound/card0/codec#0” 2) Check for changes

  26. Playing with audio jack Demo “jack.py” (Warning: Playing with the audio jack could damage it)

  27. Playing with audio jack Small problem: What if the victim wants to use the headphones?

  28. Playing with audio jack Simple solution: Create a pattern

  29. Playing with audio jack 2 steps: 1) Set checks each 1s, like “01110” 2) Replicate that with the headphones

  30. Unlocking the computer Demo “back2.2.py”

  31. The aftertaste How to mitigate it? - Remove Dbus (nope) - Disable screen lock (ugly but ok) - Switch to a minimal XDM (ok)

  32. The aftertaste Do you have to run it beforehand? YES (that's why it's called a “backdoor” :D)

  33. The aftertaste Can it be persistent? YES (rc.local)

  34. The aftertaste How big is it? 20 lines (dirty) 1 line (nice)

  35. The aftertaste What's so good about it? - NO Opcodes - Undetectable

  36. The aftertaste >>> import dbus >>> >>> import dbus Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named dbus >>>

  37. The aftertaste Can you do it to 'root' ? YES (but...)

  38. The aftertaste Can you do it on Windows ? YES - WinDBus - COM / RPC / DDE

  39. The aftertaste Can you Shellshock it ? HELL YEAH (however..) (Thanks Chino for the idea and Nutrix for the help implementing)

  40. Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com

Recommend

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet &amp; Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

658 views • 43 slides
Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian) DISCLAIMER We are not terrorists . We won't release our PoC backdoor. The x86 architecture is plagued by legacy. Governments know.

525 views • 37 slides
The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

327 views • 30 slides
Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who

Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who

Electing Your Membership Class Class TG, Class TH, or Class DC As a school employee who first became an active member of PSERS on or after July 1, 2019, you are automatically enrolled as a Class TG member. Class TG is a hybrid of both

538 views • 17 slides
First-Class Values A value is first-class if it satisfies all of these properties: First-Class

First-Class Values A value is first-class if it satisfies all of these properties: First-Class

First-Class Values A value is first-class if it satisfies all of these properties: First-Class Functions in Racket It can be named by a variable It can be passed as an argument to a function; It can be returned as the result of a

341 views • 3 slides
TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving

TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving

TwissOptics Class Joschua Dilly TwissOptics Class 2 The TwissOptics Class Resonance Driving Terms Linear Dispersion Coupling Chromatic Beating Conclusion To do TwissOptics Class 3 The TwissOptics Class TwissOptics Class 4 New class

450 views • 24 slides
Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use

Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use

Inheritance II Is-a versus has-a When an object of class A has a n object of class B, use object composition . Class A will have a field (variable) of class B in its implementation. When class A is a specific kind of another class B,

700 views • 12 slides
Class Specifications } A class diagram only gives a sketch of that class } More detail is

Class Specifications } A class diagram only gives a sketch of that class } More detail is

Class Specifications } A class diagram only gives a sketch of that class } More detail is given by the full specification of a class } Every useful Java class should have such a specification } When you write code, its up to you to create

64 views • 4 slides
CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 16 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 16 Class Overview

344 views • 17 slides
CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class

CS 137: File Systems Class Overview 1 / 14 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 14 Class Overview

436 views • 15 slides
CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class

CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class

CS 135: File Systems Class Overview 1 / 11 Class Overview Todays Topics Purpose of class How class will be run Project Sources of filesystem papers Early reading Introduction to disk technology 2 / 11 Class Overview

515 views • 12 slides
Previous*Courses Digital*Logic*Design Boolean*Algebra

Previous*Courses Digital*Logic*Design Boolean*Algebra

Preliminary*Information Instructor*Introduction Class*Policies Disabilities/Religious*Holidays Cheating/Copying Class*Web*Site Class*Notes Class*Schedule Laboratories

795 views • 18 slides
The header file is a class declaration class Dice What the class looks like, but now how it

The header file is a class declaration class Dice What the class looks like, but now how it

Classes: From Use to Implementation Anatomy of the Dice class The class Dice, need #include &quot; dice.h &quot; Weve used several classes, a class is a collection of objects sharing similar characteristics Objects: six-sided dice,

299 views • 8 slides
Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS

Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS

Classroom Assessment Scoring System (CLASS) 104 B New Report Format Interpreting your CLASS report CLASS Webinar Series -Scope &amp; Sequence Title Description Why the DECE uses the CLASS tool What the CLASS tool measures CLASS 101

447 views • 41 slides
Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is

Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is

Chapter 10 Object-Oriented Thinking 1 Class Abstraction and Encapsulation Class abstraction is the separation of class implementation details from the use of the class. The class creator provides a description of the class to let users know

420 views • 24 slides
Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly

Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly

Inner Class Inner Classes A &quot;regular&quot; inner class is declared inside the curly braces of another class, but outside any method or other code block. An inner class is a full-fledged member of the enclosing (outer) class, so it can

381 views • 6 slides
Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A

Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A

Curriculum on The Cadet Corps Uniform Class A Uniform Class A Uniform Agenda C1. Class A Uniform CLASS A UNIFORM C1. Wear the Class A Uniform to standard. Class A Uniform Known as Black Service Uniform or Class A Worn mainly

502 views • 14 slides
Logos Class Letters to the Corinthians online class for Oct 11, 2020 Logos Class. Mod 1 Room

Logos Class Letters to the Corinthians online class for Oct 11, 2020 Logos Class. Mod 1 Room

Logos Class Letters to the Corinthians online class for Oct 11, 2020 Logos Class. Mod 1 Room 1 10/10/20 1 Agenda for todays class Open chat room from 8:50am to 9:05am 9:05-9:15 Prayer time and updates Welcome our guests today

710 views • 19 slides
UML Class Diagrams Steven Zeil February 25, 2013 UML Class Diagrams Outline Class

UML Class Diagrams Steven Zeil February 25, 2013 UML Class Diagrams Outline Class

UML Class Diagrams UML Class Diagrams Steven Zeil February 25, 2013 UML Class Diagrams Outline Class Diagrams 1 A Class, in Isolation 2 Attributes Operations Generalization Relationships 3 Associations 4 Naming Your

948 views • 68 slides
DINNER Class of '61 Class of '61 Welcome Peter Turner Chairman of the 2016 Reunion

DINNER Class of '61 Class of '61 Welcome Peter Turner Chairman of the 2016 Reunion

2016 2016 DINNER Class of '61 Class of '61 Welcome Peter Turner Chairman of the 2016 Reunion Organizing Committee Class of '61 Ted Forsyth Laird King Tony De Kock Tony Sherrard Bevan Rudolph Class of '61 ROGER WEBBER Class of

626 views • 40 slides
3/14/16 Review Class/Object Type Class Keyword class class Point

3/14/16 Review Class/Object Type Class Keyword class class Point

3/14/16 Review Class/Object Type Class Keyword class class Point { // Fields int x; Object Declares a new type int y; color c; Data fields ( class variables)

318 views • 3 slides
Logos Class Letter to the Philippian Church Online class for June 28, 2020 6/28/20 1

Logos Class Letter to the Philippian Church Online class for June 28, 2020 6/28/20 1

Logos Class Letter to the Philippian Church Online class for June 28, 2020 6/28/20 1 Agenda for todays class Open chat room from 8:50am to 9:10am 9:10-9:15 Prayer time and general class discussion Welcome our guests today

453 views • 17 slides
Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010

Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010

Vector Class Grid Class Stack Class Queue Class Map Class Lexicon Class Scanner Class Iterators Programming Abstraction in C++ Eric S. Roberts and Julie Zelenski Stanford University 2010 Vector Class Grid Class Stack Class Queue Class

586 views • 54 slides
ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

Consumer Cases Brought under Rule 23(b)(3) STRATEGIES FOR DEFEATING CLASS CERTIFICATION By Thomas A. Dye and Dean A. Morande A lawsuit founded defeating succeed in class tainable. consumer A class definition fails if it is on to ever even

502 views • 4 slides

More recommend