07 Apr, 2023

X Window System Version 11 (x11)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

X11 is short for X Window System Version 11. It is a network protocol and a graphical user interface (GUI) that allows applications to run on a remote server and be displayed on a local machine. Developed by MIT in the 1980s, X11 has become the standard display system for Unix-based operating systems and is commonly used in Linux distributions.

The X11 protocol works by separating the graphical interface of an application from its functionality. The application runs on a remote server, while the graphical output is sent to the local machine. This allows users to run applications on powerful servers, while still being able to interact with them through a local machine.

X11 also supports multiple windows, allowing users to run multiple applications simultaneously and switch between them easily. It includes a set of standard widgets, such as buttons, text boxes, and menus, that application developers can use to create GUIs.

The X11 protocol is highly customizable, allowing users to modify the look and feel of their desktop environment. It is also highly extensible, with many third-party applications available to enhance its functionality.

X11 common ports

TCP port 6000: This is the default X11 port used for communication between the X server and X clients.

TCP port 6001: This is typically used as the first alternate port when the default port is already in use.

TCP port 6002: This is typically used as the second alternate port when both the default port and the first alternate port are already in use.

TCP port 6010: This is another alternate port that can be used for X11 communication.

TCP port 6011: This is another alternate port that can be used for X11 communication.

Standard commands from unauthorized users

xhost: This command allows users to add or remove hosts from the X server’s access control list. Unauthorized users may attempt to use this command to gain access to the X server from a remote system.

xeyes: This command displays a pair of animated eyes that follow the mouse cursor. While this command is harmless, unauthorized users may attempt to use it to test whether they have access to the X server.

xkill: This command allows users to kill a running X11 client. Unauthorized users may attempt to use this command to terminate important applications or services.

xmodmap: This command allows users to modify the key mappings on the X server. Unauthorized users may attempt to use this command to intercept keystrokes or execute malicious commands.

xset: This command allows users to modify various X11 settings, such as the screen saver timeout or the keyboard repeat rate. Unauthorized users may attempt to use this command to disable security features or change system settings.

Tools for using protocol X11

Manual Tools:

  • xev: This tool displays X events generated by a user’s input devices, such as mouse clicks or keyboard presses. It can be useful for debugging X11 applications.

  • xdpyinfo: This tool displays information about the X server, including the number of screens, available extensions, and supported protocols.

  • xwininfo: This tool displays information about a window, including its geometry, parent and child windows, and resource ID.

  • xkill: This tool allows users to kill a running X11 client by clicking on its window. It can be useful for terminating unresponsive applications.

  • xrandr: This tool allows users to configure the screen resolution, refresh rate, and rotation on X11 displays.

  • xset: This tool allows users to configure various X11 settings, such as the screen saver timeout and keyboard repeat rate.

  • xclock: This tool displays an analog or digital clock on the X11 screen. It can be useful for testing various X11 features.

  • xfontsel: This tool allows users to view and select X11 fonts for use in applications.

  • xcalc: This tool provides a simple calculator interface on the X11 screen. It can be useful for testing input and output functionality.

  • xterm: This tool provides a terminal emulator on the X11 screen. It can be useful for testing command-line applications.

Automated Tools:

  • Xnest: This tool provides a nested X11 server inside an existing X11 session. It can be used to test multi-screen setups or to isolate X11 applications.

  • Xvfb: This tool provides a virtual X11 framebuffer that can be used to run X11 applications without a physical display. It can be useful for testing headless servers.

  • xdotool: This tool provides a command-line interface for automating X11 tasks, such as simulating mouse clicks or keyboard input.

  • xmacro: This tool records and plays back X11 macros, which are sequences of X11 events. It can be useful for automating repetitive tasks.

  • xpra: This tool provides a persistent X11 server that can be accessed remotely through a web browser or SSH connection. It can be useful for testing remote access functionality.

  • Xnee: This tool provides a suite of X11 automation tools, including record and playback functionality, event simulation, and synchronization.

  • Xorg-x11-server-utils: This package provides a collection of X11 server utilities, including xinput, xmodmap, and xsetroot.

  • X11perf: This tool provides a suite of X11 performance tests, including rendering, window manipulation, and input latency.

  • xrestop: This tool provides a real-time view of X11 resource usage, including memory and CPU usage.

  • xtrace: This tool provides a trace of X11 protocol traffic between the X server and clients. It can be useful for debugging X11 applications.

Last five known CVE for X11

• CVE-2020-14346 – A flaw was found in xorg-x11-server before 1.20.9. An integer underflow in the X input extension protocol decoding in the X server may lead to arbitrary access of memory contents. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 

• CVE-2015-3812 – Multiple memory leaks in the x11_init_protocol function in epan/dissectors/packet-x11.c in the X11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 allow remote attackers to cause a denial of service (memory consumption) via a crafted packet.

• CVE-2013-2004 – The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file.

• CVE-2013-1997 – Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions.

• CVE-2013-1982 – Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.

Useful information

– X11 is an extensible protocol that allows additional features to be added without breaking the existing clients.

– X11 is network-transparent, which means that the client and server can be run on either the same or different machines.

– X11 is a windowing system for bitmap displays, commonly used on Unix-like operating systems.

– X11 provides the basic framework for a GUI environment, allowing for the drawing and moving of windows on the display device, and interacting with a mouse and keyboard.

– The X11 protocol allows applications to create objects such as windows and use basic drawing primitives, such as filling a rectangle or displaying text.

– Widgets like buttons and menus are made by client libraries using the X11 protocol.

– X11 has been the protocol version since September 1987 and uses TCP as its transport protocol.

Known banners

  • “X Window System Version x.x.x” – This is the default banner message that is displayed when an X11 session is started.

  • “Welcome to the X Window System” – This banner message is commonly used by Linux distributions as a greeting message for their X11 sessions.

  • “Warning: No Access Control!” – This banner message is displayed when X11 has been configured to allow access from any client, regardless of the client’s identity or location.

  • “This is a private system – No unauthorized access allowed” – This banner message is often used by organizations to warn users that the system is private and unauthorized access is not allowed.

  • “Unsecured X11 session detected” – This banner message is displayed when a user’s X11 session is not properly secured and may be vulnerable to attacks.

  • “X11 Forwarding Requested but Display Not Set” – This banner message is displayed when a user attempts to forward X11 requests to a remote system, but the display has not been properly set.

  • “X11 connection rejected because of wrong authentication” – This banner message is displayed when a user’s X11 session is rejected due to incorrect authentication credentials.

  • “X11 forwarding request failed on channel 0” – This banner message is displayed when a user’s X11 forwarding request has failed due to a problem with the network channel.

  • “X11 connection lost” – This banner message is displayed when a user’s X11 connection has been lost due to a network or server issue.

  • “X11 session terminated unexpectedly” – This banner message is displayed when a user’s X11 session has been terminated due to an error or crash.

Books for studies X11

“X Window System: The Complete Reference to Xlib, X Protocol, ICCCM, XLFD” by Robert W. Scheifler and James Gettys – This book is considered the definitive reference to the X Window System, covering topics such as the Xlib library, the X protocol, and the Inter-Client Communication Conventions Manual (ICCCM). It also provides an in-depth look at the X Logical Font Description (XLFD) standard.

“X Power Tools” by Chris Tyler – This book is a comprehensive guide to the X Window System, covering topics such as window managers, desktop environments, and X11 programming. It also includes tips and tricks for customizing the X11 environment and improving productivity.

“Xlib Programming Manual: for Version 11 of the X Window System” by Adrian Nye – This book provides a detailed introduction to programming with the Xlib library, covering topics such as window creation, event handling, and graphics programming. It also includes examples and exercises to help readers develop their X11 programming skills.

“X Window Programming From Scratch” by Jerry Jongerius – This book is a beginner’s guide to X11 programming, covering topics such as window creation, event handling, and graphics programming. It also includes examples and exercises to help readers develop their X11 programming skills.

“X Window System User’s Guide: For X11 R3 and R4 of the X Window System” by Valerie Quercia and Tim O’Reilly – This book is a user’s guide to the X Window System, covering topics such as window managers, desktop environments, and X11 applications. It also includes tips and tricks for customizing the X11 environment and improving productivity.

List of Payload for X11

  • Window Managers: These are applications that manage the placement, appearance, and behavior of windows. Examples include twm, Metacity, and Openbox.

  • Desktop Environments: These are complete graphical user interfaces that include a window manager, file manager, panel, and other applications. Examples include GNOME, KDE, and Xfce.

  • Remote Desktop Software: These are applications that allow users to connect to a remote computer and display its desktop on their own computer. Examples include VNC and RDP.

  • Terminal Emulators: These are applications that allow users to run command-line programs within a graphical environment. Examples include xterm, GNOME Terminal, and Konsole.

  • Graphics Libraries: These are programming libraries that provide an interface for creating and manipulating graphical objects, such as images and fonts. Examples include Cairo, OpenGL, and SDL.

  • Screen Capture Software: These are applications that allow users to capture screenshots or record videos of their desktop. Examples include recordmydesktop and Kazam.

  • Input Method Editors: These are applications that allow users to input non-Latin characters, such as Chinese or Japanese, using a keyboard or mouse. Examples include ibus and SCIM.

  • Display Managers: These are applications that manage the login screen and start the X server. Examples include GDM, LightDM, and XDM.

Mitigation

  1. Disabling X11 forwarding can reduce the attack surface of the system, as it prevents attackers from using X11 to remotely control applications or access data.

  2. Limiting X11 access can help prevent unauthorized users from accessing the system. This can be done by implementing access controls, such as firewalls, and configuring X11 to only accept connections from trusted sources.

  3. Using SSH tunneling can help secure X11 connections by encrypting the data in transit. This can help prevent attackers from intercepting or tampering with X11 traffic.

  4. Keeping X11 software up to date can help mitigate vulnerabilities that could be exploited by attackers. This includes updating both the X11 server and any X11 client applications that are installed on the system.

  5. Using X authentication can help prevent unauthorized users from accessing X11 resources. This involves configuring X11 to require authentication for connections and using secure authentication methods, such as Kerberos or XDM-AUTHORIZATION-1.

  6. Using a virtual X11 framebuffer can help mitigate some X11-related security risks by isolating X11 applications from the host system. This involves running X11 applications in a virtual environment that does not have direct access to the system’s hardware resources.

  7. Using a secure X11 server can help prevent attackers from exploiting vulnerabilities in the X11 protocol. This includes using X11 servers that have been hardened or modified to reduce security risks.

Conclusion

X11 is a protocol used for graphical user interfaces that has been widely adopted by many operating systems. While X11 provides a powerful set of features for remote display and control of applications, it also introduces some security risks that need to be addressed.

Other Services

Ready to secure?

Let's get in touch