Serio port vulnerability?

abc12345 · 2022-10-05 03:06:58

Secooritay, help! Sorry if this is noob level.
Situation:
Serio module loaded (and atkbd, etc) - I get stuff hitting the firewall and getting dropped (not even looking at what yet, I'm sorry nothing related to serio ports should be trying to issue network protocol packets?)
Serio module unloaded - zero dropped packets.
I don't see anything on archwiki's Security page about serio ports. And they are virtually ubuiquitously on, which feels like a fertible ground for the mother of all exploits because, well, who would ever disable their laptop keyboards even?

schard · 2022-10-05 03:09:28

Don't paraphrase. Show us the logs.

abc12345 · 2022-10-05 15:07:30

:-O Something is trying to connect to Xorg's display 0 tcp port 6000 on loopback - even when I'm logged out completely. :-O (Of course, it gets dropped because l drop loopback packets except on the other ports that I need).
I have the default nolisten setting for Xorg. What could it even be when I'm logged out?? Tracking this down is probably near impossible?

loqs · 2022-10-05 15:11:35

Please post a dump of your firewall config and the log messages you are seeing.

abc12345 · 2022-10-05 15:25:05

I got iptables log-level 4 for outgoing dropped packets. This is what got dropped:

IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64803 PROTO=TCP SPT=55742 DPT=6000 WINDOW=65495 RES=0x00 SYN URGP=0

loqs · 2022-10-05 15:29:18

Is anything listening on port 6000? What is $DISPLAY set to?
Edit:

# lsof -i:6000

Also how is this connected to serio?

Last edited by loqs (2022-10-05 15:44:49)

seth · 2022-10-05 15:51:55

even when I'm logged out completely

Does that also mean that there's no X11 server?
Can you run Xorg w/o the serio driver being loaded (or does it bail for a lack of input devices)?

abc12345 · 2022-10-05 16:10:55

loqs wrote:

Is anything listening on port 6000? What is $DISPLAY set to?
Edit:
# lsof -i:6000
Also how is this connected to serio?

lsof -i:6000 reports nothing
It is connected to serio because when serio & at/2 kbd/mouse modules are loaded there was unusual activity like this.

abc12345 · 2022-10-05 16:12:26

seth wrote:

even when I'm logged out completely
Does that also mean that there's no X11 server?
Can you run Xorg w/o the serio driver being loaded (or does it bail for a lack of input devices)?

Exactly, when I'm logged out I didn't have anything running.
I run Xorg just fine with or without serio drivers.

abc12345 · 2022-10-05 16:14:48

I set up a log script using 'ss' to log any dport=6000 activity to a file.

Koatao · 2022-10-05 18:53:15

Hi,
Could you provide us with the full logs instead of one single line out of any context? (especially knowing that you are running with some very specific settings like blocking traffic from loopback interface to the loopback interface).
You could use the Audit Framework, start/enable it and set a new rule logging syscall. I would (not sure at all) use sendmsg and sendto as syscalls to look for.
It should help you to narrow down the process sending the TCP segment.

A more «hackish» way to gather intel, is to set a listener on port TCP 6000 to catch the actual payload sent after the TCP handshake. It can easily be set up with tools like netcat and tcpdump.

Last edited by Koatao (2022-10-05 19:05:14)

Arch Linux

#1 2022-10-05 03:06:58

Serio port vulnerability?

#2 2022-10-05 03:09:28

Re: Serio port vulnerability?

#3 2022-10-05 15:07:30

Re: Serio port vulnerability?

#4 2022-10-05 15:11:35

Re: Serio port vulnerability?

#5 2022-10-05 15:25:05

Re: Serio port vulnerability?

#6 2022-10-05 15:29:18

Re: Serio port vulnerability?

#7 2022-10-05 15:51:55

Re: Serio port vulnerability?

#8 2022-10-05 16:10:55

Re: Serio port vulnerability?

#9 2022-10-05 16:12:26

Re: Serio port vulnerability?

#10 2022-10-05 16:14:48

Re: Serio port vulnerability?

#11 2022-10-05 18:53:15

Re: Serio port vulnerability?

Board footer