Bugtraq mailing list archives
ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server)
From: dfrasnel () ALPHALINUX ORG (Dan Frasnelli)
Date: Wed, 6 Oct 1999 11:23:31 -0700
Basically telneting into port 6000 of the server and typing in random gibberish, brings it down.
This method of conducting a simple dos against unprotected X servers is already well-known. Most X servers for windows default to accepting all connections to port 6000, making more than the MI/X software vulnerable. Also, I do not think most pc X servers have cookies support - session hijacking and snooping may be possible. On the subject of denial of service attacks, ssh 1.2.26 has a nice one associated with x11 forwarding. Data Fellows, Ltd. were informed of this and a second vulnerability (session confidentiality can be compromised by a second user on the client machine) last month but did not respond. Here is a quick overview: - if $DISPLAY is set on the client machine and the remote server allows X11 forwarding (default), sshd will bind to an available port above 6000 for each subsequent ssh session. - On linux, the first port allocated is 6001 (:1.0); on solaris 2.6, the first is 6010 (:10.0). The second ssh session w/x11 forwarding will bind 6002 under linux, 6011 under solaris, etc. lsof is probably the best tool to use if you have access to both the server and client. - A simple connect() via telnet or a portscanner to the forwarded X server from any remote host will kill the ssh session and any forwarded clients. - Versions 1.2.27 and 2.x drop the connection and report the attempt. I have fully documented this and the second vulnerability mentioned above, but will give Data Fellows some more time to respond - the commercial product is vulnerable to the second attack. If we do not hear back from them in a few days, the exploit documentation will be sent to this list. Regards, Dan
Current thread:
- MicroImages MIX X Server Jan Szumiec (Oct 04)
- Re: MicroImages MIX X Server Jim Frost (Oct 05)
- ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server) Dan Frasnelli (Oct 06)
- Re: MicroImages MIX X Server Marcus Post (Oct 06)
- Re: MicroImages MIX X Server Paul McGovern (Oct 05)
- Re: MicroImages MIX X Server Rich Lafferty (Oct 05)
- Omni-NFS/X Enterprise (nfsd.exe) DOS S.Faust (Oct 06)
- Re: Omni-NFS/X Enterprise (nfsd.exe) DOS H D Moore (Oct 06)
- Re: Omni-NFS/X Enterprise (nfsd.exe) DOS Mikael Olsson (Oct 07)
- Win95/98 and Novell client DoS Bruce Dennison (Oct 08)
- Re: Win95/98 and Novell client DoS Gyorgy Camaszotisz, Novell DevNet SysOp 13 (Oct 08)
- Re: Win95/98 and Novell client DoS Mike Richichi (Oct 08)
- Re: Win95/98 and Novell client DoS Richard Reiner (Oct 08)
(Thread continues...)
- Re: MicroImages MIX X Server Jim Frost (Oct 05)