xhost Security -- Hacker Mystery


I installed an application which required disabling access control via xhost +, and afterwards I made the mistake of not closing the access via xhost -. As I subsequently surfed the web, I hit upon a dubious website which might have exploited the access.

I noticed a text document (in Kwrite) appear on the screen, with “Password” written on it; nothing else. After a second-or-two, the document disappeared. It was like magic. Poof

My theory is that some text file on my system was overwritten by this new document. Since nothing was written after “Password,” I assume it signifies that someone wanted an empty password, which would allow unhindered access by some (HTTP?) client.

Any idea of what might have happened? And is it possible that my machine was used as a proxy to serve some nefarious purpose?

Thanks in advance for your reply!

From your story I can not read if you do understand what xhost does. In short, it allowes other users (on the same system or other systems) ro open windows in your GUI session. BTW the “other systems” part of this needs also network access and thus allowance by the firewall on your system and by the firewall in your router (I suppose you use some router/modem to the internet).

When all these allowances are given, you could thus see a window opened by some other user somewhere. That window is thus his application running on his system This sounds harmless for you (you see something from another user, on another system, bad for his security), but as you saw, it could invite you to enter some password (phishing). Also, a transparent window overlaying your screen could be generated and then all your keyboard/mouse movements could be interpreted on the other site. When you did not type anything and the window just vanished, I think nothing important is lost.

It is better to use “xhost +hostname” to allow just a specific host. Better still is to use X-forwarding with ssh.

If you are behind a home router, then you only allowed access from your home LAN unless you setup port forwarding for port 6000 on your router. Off hand, I am not aware of attempts to exploit the hole you might have created, so the chances are that nothing bad actually happened.

If you are running X as root, then you seriously exposed your system. If you are running X as a non-root user, the exposure is less. The big risk in the non-root case, is that X applications buffer information in the X-server (cut and paste buffers, for example). And an attacker with X access could possibly view that data, which might contain sensitive information such as passwords.

Thanks for your reply. I’ve used kio-fish before, so I kind of know how the connection works. If I remember correctly, I was able to manipulate windows and files on the remote machine. However, I was not aware that the remote machine could see applications running on my client.

Thanks for your reply. I didn’t realize I could use X-forwarding to install an application. I wonder why Oracle doesn’t list this method in the instructions. Maybe because it would require extra software to be insalled first?

My concern with xhost + was that some type of script (e.g., javascript?) could exploit it. I’m not really familiar with javascript functionality, though, so maybe this is seen as obviously impossible by someone who understands it. Thought I’d ask, just in case.