Penetration Testing mailing list archives
Re: [PEN-TEST] ssh/x11 forwarding disclosure
From: Riley Hassell <riley () SPEAKEASY NET>
Date: Fri, 8 Sep 2000 13:07:02 -0700
If you make a directory in /tmp called ssh-username you can disable another users X-forwarding. Lame isn't it. /tmp/ssh-riley Riley Hassell Network Security Speakeasy Network Phone : 206-728-9770x151 Email : riley () speakeasy net On Thu, 7 Sep 2000, Frasnelli, Dan wrote:
The flames are licking up my mailbox, so I submit this in my defense. I recognized the mistake below after sending it and tried to stop the post.. this account was set for 'auto-approval' without my knowledge. I apologize for the confusion.. read on below.Yes it is. Read the man page and pull out your sniffer to look at what is actually happening on the wire.Right. My brain said 'unauthenticated' while my fingers typed something else. Stupid and distracted me.- a remote user can 'spy' on an ssh session under certain circumstances by reading off those ports (ie. xkey).This is only a problem if the X server is configured to allow an unauthenticated remote user to connect. At that point it is certainly true that any apps displayed over the tunnel and any xterms containing ssh sessions can be watched. But it isn't an ssh issue. ssh can't protect against stupidity.Thats how it should work, right. Disclosure/disclaimer: A "feature" was discovered by myself and a security consultant last year in the x11 forwarding code of ssh. A report was sent to Data Fellows (under NDA, no it is not available). Its not my position to say whether they agreed or not with our findings. The feature does not affect recent f-sec ssh releases (1.3.7, 2.x). The findings: 1. At least two 1.2.x releases allowed an arbitrary number of unauth connections to the forwarded x11 display (6001,6010+/tcp) from the client machine. Significance: Any user on the same system can use xkey to compromise confidentiality of ssh sessions established by the victim. In a real-world scenario, this is difficult to exploit; the intruder is already in your network, at which point you're screwed anyhow. 2. For releases <1.2.27, it is sometimes possible to kill an ssh session by sending a syn to its x11 forwarded port. Our tests indicated a hit/miss of ~5:10. Later releases rejected the packet and displayed an error to the user. Tested server platform was Solaris 2.6/sparc, with clients ranging from OpenBSD to Linux. For all I know, the Solaris boxes were misconfigured and the findings aren't duplicable. We thought of it as a neat 'trick' but little more. Enjoy, -dan
Current thread:
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Frasnelli, Dan (Sep 08)
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Riley Hassell (Sep 08)
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Crist Clark (Sep 08)
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Riley Hassell (Sep 09)
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Crist Clark (Sep 08)
- <Possible follow-ups>
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Dunker, Noah (Sep 08)
- Re: [PEN-TEST] ssh/x11 forwarding disclosure Riley Hassell (Sep 08)