Behold the Inherent Insecurity of X11 with a Snap Package on Ubuntu 16.04
Recently a Core OS security researcher and Linux kernel contributor named Matthew Garrett published a post pointing that Snap package on Ubuntu 16.04 with X11 display server is not secure. X11 is still the default display server on Ubuntu 16.04 desktop. He created a little Snap app on Github to prove that any Snaps in X11 environment can access other X11 application’s data.
In this post, I will show you how to install his Snap app on Ubuntu 16.04 and feel the inherent insecurity of X11. You will also learn how to create Snap apps with snapcraft in the process.
How to Install the Snap Package
First open a terminal window and install Git on Ubuntu 16.04 with this simple command:
sudo apt-get install git
Next, clone Matthew Garrett’s Github repository.
git clone https://github.com/mjg59/xevilteddy
The above command will create a new directory named
xevilteddy in the current working directory. CD into that directory.
After that, install snapcraft.
sudo apt-get install snapcraft
sudo apt-get install libxtst-dev
Create the Snap package with the following command. It will create a
xevilteddy_0.1_i386.snap file, depending on your OS architecture.
Now let’s install the newly created Snap package.
sudo snap install xevilteddy_0.1*.snap
Then run this Snap app.
You should see a teddy bear on the upper left corner of your Ubuntu 16.04 desktop.
And it did record my keyboard stroke while I was writing this article in Firefox! See the underlined text below.
It will also warn you that Window manager wouldn’t leave the window alone and it could be using curl to send your ssh keys to a remote site. Fortunately there’s no SSH keys on my fresh Ubuntu 16.04 install.
In my test, I only see the above on a fresh Ubuntu 16.04 install. When I was testing this on a Ubuntu 16.04 machine which is upgraded from Ubuntu 15.10, I did not see the teddy bear and the Snap package did not log my keyboard stroke. Instead it produced the following error message.
Bad system call
How to Remove it From Ubuntu 16.04
To remove this snap app from Ubuntu 16.04 desktop, run the following command:
sudo snap remove xevilteddy
List your installed Snap packages with the below command.
Ubuntu 16.04 server edition does not include X11 display server by default so it’s not threatened by this security flaw. Mir and Wayland display server don’t have this security flaw. xdg-app from Gnome is a project similar to Snap, aiming to run applications in a sandbox environment. The good thing about xdg-app is that it only works with Wayland display server, because X11 is inherently insecure.