From owner-freebsd-security Wed Sep 16 06:57:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA14550 for freebsd-security-outgoing; Wed, 16 Sep 1998 06:57:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nak.myhouse.com (nak.myhouse.com [209.70.45.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA14545 for ; Wed, 16 Sep 1998 06:57:17 -0700 (PDT) (envelope-from zoonie@myhouse.com) Received: from localhost (zoonie@localhost) by nak.myhouse.com (8.8.8/8.8.7) with ESMTP id JAA19306; Wed, 16 Sep 1998 09:56:01 -0400 (EDT) (envelope-from zoonie@myhouse.com) X-Authentication-Warning: nak.myhouse.com: zoonie owned process doing -bs Date: Wed, 16 Sep 1998 09:56:01 -0400 (EDT) From: zoonie To: Warner Losh cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG Subject: Re: X Security (was: Re: Err.. cat exploit.. (!)) In-Reply-To: <199809160605.AAA04664@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org warner is correct about XTEST, if you look at a2x it does this also, in fact there were 3 ways to get keystrokes and mouse movements to X. a2x can use any of them. i don't remember what they are off hand but i do remember that there were 3 different methods depending on the X server. for those of you that don't know what a2x is it's an interface for using voice recognition software to control X on your workstation. it mainly works with dragondictate but i think that you can get it to work with any voice recognition software. i fooled around with it a few months ago when i had tendinitous and was restricting the amount of typing i did..... On Wed, 16 Sep 1998, Warner Losh wrote: > In message <199809152125.WAA01218@indigo.ie> Niall Smart writes: > : Actually, xterm will not accept synthetically generated keystrokes > : from XSendEvent by default, but there is nothing stopping someone > : from capturing keystrokes and other events. This is a pretty > : pedantic point, anyone using xhost to manage X security deserves > : to get stung. > > But it will accept keystrokes generated from XTEST by default. I have > a newton keyboard I use with my libretto which uses this feature. It > would appear that the keystroke program even works with a remote > display I can connect to, which is both way cool, and a possible > nightmare from a security point of view. XTEST even supports mouse > movements and clicking, which I plan to add to the newton keyboard > just as soon as I find a way of faking mice that I like. There are > serveral X extensions that can be used here that are compiled into > XFree86 by default. I think they are XInputExtension, XKEYBOARD and > XTEST, but I'm not sure about XKEYBOARD. > > There is even a RECORD extension listed on my xdpyinfo output that > looks like it could be very interesting indeed. > > X security is less like swiss cheeze, and more like chicken wire if > you are just using xhost for your security. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --------------------------------------------- The devil finds work for idle circuits to do. --------------------------------------------- zoonie at myhouse dot com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message