Bugtraq mailing list archives
SSH/X11 vulnerability
From: flegel () MAIL BRAUNSCHWEIG NETSURF DE (Ulrich Flegel)
Date: Tue, 30 Sep 1997 21:48:29 +0100
------------------------------------------------------------------------ SSH/X11 Vulnerability September 1997 ------------------------------------------------------------------------ Systems affected: All systems running Secure Shell (SSH) clients and X11. Description: In a firewalled environment insecure protocols normally are not allowed to cross network boundaries and to enter the protected network environment. SSH is able to relay arbitrary TCP connections, especially X11 traffic is mediated per default. If SSH connections may leave the protected network environment insecure protocols may unconsciously be imported and exploited. Impact: Everyone who can access foreign .Xauthority files on SSH servers is able to access the X server of the SSH client machine. The client machine is open to a variety of attack scenarios while the SSH session exists. Exploit: See References for a detailed description of the exploit. Solution: Client side (administrator): Build SSH clients with "--disable_client_x11_forwarding". Set "ForwardX11" to "no" in "/etc/ssh_config". Set up packet filters which allow connections destined for port 22 only if originated from a privileged port. Client side (users): Set "ForwardX11" to "no" in "~/.ssh/config". Apply the "-x" option when using "ssh". Server side (administrator): Build SSH servers with "--disable_server_x11_forwarding". Set "X11Forwarding" to "no" in "/etc/sshd_config". References: For a more detailed description of the vulnerability, its consequences and countermeasures see: http://home.braunschweig.netsurf.de/ ~ulrich.flegel/pub/ssh-x11.ps.gz ----------------------------------------------------------------------- Copyright (c) 1997 Ulrich Flegel, Ulrich.Flegel () braunschweig netsurf de -----------------------------------------------------------------------
Current thread:
- CERT Vendor-Initiated Bulletin VB-97.08 - Transarc Aleph One (Sep 25)
- Re: BoS: CERT Vendor-Initiated Bulletin VB-97.08 - Transarc Julian Assange (Sep 27)
- msql access control John W. Temples (Sep 27)
- kerneld and module security Aleph One (Sep 28)
- SSH/X11 vulnerability Ulrich Flegel (Sep 30)