Re: [PEN-TEST] ssh/x11 forwarding disclosure

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

hrm... Does SSH honor $TMPDIR?  I'm using Evil Win2000 at work
right now, and can't get to my UNIX boxes at home.  Anyone care
to see what the story is on this.   Also, anyone know what else
/tmp/ssh-username messes with?  Will it disable -L port:host:port
or -R port:host:port, too?

I use a dynamic $TMPDIR setup, where each login session gets a
tmpdir (uses the PID of the shell as part of the directory name),
so I don't know if SSH is going to use that instead of /tmp.


-----Original Message-----
From: Riley Hassell [mailto:riley () SPEAKEASY NET]
Sent: Friday, September 08, 2000 3:07 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: ssh/x11 forwarding disclosure


If you make a directory in /tmp called
ssh-username you can disable another users X-forwarding.

Lame isn't it.

/tmp/ssh-riley


  Riley Hassell
  Network Security
  Speakeasy Network
  Phone : 206-728-9770x151
  Email : riley () speakeasy net


On Thu, 7 Sep 2000, Frasnelli, Dan wrote:

> The flames are licking up my mailbox, so I submit this
> in my defense.
>
> I recognized the mistake below after sending it and tried to stop
> the post.. this account was set for 'auto-approval' without my
> knowledge.  I apologize for the confusion.. read on below.
>
> > Yes it is.  Read the man page and pull out your sniffer to look at what
> > is actually happening on the wire.
>
> Right.  My brain said 'unauthenticated' while my fingers typed something
> else.  Stupid and distracted me.
>
> > > - a remote user can 'spy' on an ssh session under certain
> > >   circumstances by reading off those ports (ie. xkey).
> >
> > This is only a problem if the X server is configured to allow an
> > unauthenticated remote user to connect.  At that point it is certainly
> > true that any apps displayed over the tunnel and any xterms containing
> > ssh sessions can be watched.  But it isn't an ssh issue.  ssh can't
> > protect against stupidity.
>
> Thats how it should work, right.
>
> Disclosure/disclaimer:
>
> A "feature" was discovered by myself and a security consultant
> last year in the x11 forwarding code of ssh.  A report was
> sent to Data Fellows (under NDA, no it is not available).
> Its not my position to say whether they agreed or not
> with our findings.  The feature does not affect
> recent f-sec ssh releases (1.3.7, 2.x).
>
> The findings:
> 1. At least two 1.2.x releases allowed an arbitrary number
>    of unauth connections to the forwarded x11 display
>    (6001,6010+/tcp) from the client machine.
> Significance:
>    Any user on the same system can use xkey to compromise
>    confidentiality of ssh sessions established by the victim.
>    In a real-world scenario, this is difficult to exploit; the
>    intruder is already in your network, at which point you're
>    screwed anyhow.
>
> 2. For releases <1.2.27, it is sometimes possible to kill an
>    ssh session by sending a syn to its x11 forwarded port.
>    Our tests indicated a hit/miss of ~5:10.  Later releases
>    rejected the packet and displayed an error to the user.
>
> Tested server platform was Solaris 2.6/sparc, with clients
> ranging from OpenBSD to Linux.  For all I know, the
> Solaris boxes were misconfigured and the findings aren't
> duplicable.  We thought of it as a neat 'trick' but
> little more.
>
> Enjoy,
> -dan