In this actricle I will describe how to hijack a X session from a diffrent user. So you are able to start X application in a diffrent user session, maybe open an browser window on the screen. For this method you will probelly need root access on the mashine where the X session is running you want to hijack.

## X11 security model

The X11 security model is preety simple. You only have to know two diffrent things to connect to the Xserver.

The display is mostly something like :0 or :1. The first X11 display is :0 and :1 is the second display on the local mashine. At an xsession startup the envirmentvariable $DISPLAY will be set with display. Any X11 application uses this variable to determine how to contact the X11 server and show it’s windows when it starts up. To get all locally available active displays you can run the following command. ls -l /tmp/.X11-unix/  This will show something like this: srwxrwxrwx 1 gdm gdm 0 Jan 2 08:42 X0 srwxrwxrwx 1 bob users 0 Jan 2 08:42 X1  This show you the a GDM is running and on display :0. Also an user bob is login on display :1. The second thing you have to know to connect to the Xserver is the cookie. This is the secret to connect to the Xserver if you have no right screct the connection will be dropped. The cookies ontain just a random string and are stored in your home in the .Xauthority file. You also can look add the cookies with the xauth(1) command. -rw------- 1 bob users 663 Jan 10 11:46 .Xauthority xauth list 10.0.3.1:0 MIT-MAGIC-COOKIE-1 9dc4e1e8469218001b2455ea39902f3b mashine/unix:50 MIT-MAGIC-COOKIE-1 1b3c9c6a8101149edaa2e5033566b1d7  ## hijack the xsession So now you can use your knowledge to hijack the xsession. So in this example I will remote login to bobs mashine by ssh as root. First we need the display what used for bobs session. Above we find out the bobs session is running on display 1. Now we set your$DISPLAY variable to display 1.

DISPLAY=:1
export DISPLAY


Ok half way done. So now we need the cookies from bob. As root this is no problem, we simple can you the Xauthority in the home from bob. I will show how this works below.

xauth list
xauth:  creating new authority file /root/.Xauthority

XAUTHORITY=/home/bob/.Xauthority
export XAUTHORITY

xauth list

xclock &