Bugtraq mailing list archives

SSH/X11 vulnerability

From: flegel () MAIL BRAUNSCHWEIG NETSURF DE (Ulrich Flegel)
Date: Tue, 30 Sep 1997 21:48:29 +0100


------------------------------------------------------------------------
SSH/X11 Vulnerability                                     September 1997
------------------------------------------------------------------------

Systems affected:
        All systems running Secure Shell (SSH) clients and X11.

Description:
        In a firewalled environment insecure protocols normally are not
        allowed to cross network boundaries and to enter the protected
        network environment.

        SSH is able to relay arbitrary TCP connections, especially X11
        traffic is mediated per default.

        If SSH connections may leave the protected network environment
        insecure protocols may unconsciously be imported and exploited.

Impact:
        Everyone who can access foreign .Xauthority files on SSH servers
        is able to access the X server of the SSH client machine. The
        client machine is open to a variety of attack scenarios while
        the SSH session exists.

Exploit:
        See References for a detailed description of the exploit.

Solution:
        Client side (administrator):
        Build SSH clients with "--disable_client_x11_forwarding".
        Set "ForwardX11" to "no" in "/etc/ssh_config".
        Set up packet filters which allow connections destined for
        port 22 only if originated from a privileged port.

        Client side (users):
        Set "ForwardX11" to "no" in "~/.ssh/config".
        Apply the "-x" option when using "ssh".

        Server side (administrator):
        Build SSH servers with "--disable_server_x11_forwarding".
        Set "X11Forwarding" to "no" in "/etc/sshd_config".

References:
        For a more detailed description of the vulnerability, its
        consequences and countermeasures see:

        http://home.braunschweig.netsurf.de/
        ~ulrich.flegel/pub/ssh-x11.ps.gz

-----------------------------------------------------------------------
Copyright (c) 1997 Ulrich Flegel, Ulrich.Flegel () braunschweig netsurf de
-----------------------------------------------------------------------

Current thread:

CERT Vendor-Initiated Bulletin VB-97.08 - Transarc Aleph One (Sep 25)
- Re: BoS: CERT Vendor-Initiated Bulletin VB-97.08 - Transarc Julian Assange (Sep 27)
- msql access control John W. Temples (Sep 27)
- kerneld and module security Aleph One (Sep 28)
- SSH/X11 vulnerability Ulrich Flegel (Sep 30)