Home page logo

bugtraq logo Bugtraq mailing list archives

SSH & xauth
From: cazz () RUFF CS JMU EDU (Brian Caswell)
Date: Thu, 24 Feb 2000 17:31:35 -0500

The default SSH configuration for SSH1 and SSH2 allow for remote
controlling of X sessions through X forwarding.

All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session.  This is accomplished
by running xauth upon logging in.

If xauth is replaced on the server by a malicious program that does 
both of the following:
 - runs xauth, adding in the "correct" information allowing the
   children of the session to tunnel X11 programs through the SSH
 - runs xauth, adding in the "malicious" information, allowing a
   malicious source to tunnel X11 programs through the SSH session.

With the added data in .Xauthority, a malicious source can fully control 
the client X session.  The malicious source can then do most anything to
the X session, from logging keystrokes of the X session, to taking
screen captures, to typing in commands to open terminals.  

The only thing that is required for the client system to be compromised 
is for the client to remotely log via ssh (with X11 forwarding enabled) 
into a compromised server.

Allowing X forwarding seems to be turned on by default in SSH1, SSH2, 
and OpenSSH.

To fix this "issue" add the following lines to the SSH client
configuration.  ($HOME/.ssh/config or ssh_config)

        Host *
          ForwardX11 no

Discussions of security flaws within X11 have been going on for years.  
The "issue" in SSH X11 forwarding is not new.  SSH has added to the 
security of X11, but by no means does the use of SSH secure X11.

Brian Caswell <cazz () ruff cs jmu edu>  
If I could load the world into vi, the first command I would use is:
%s/Windows NT//gi

<LI>application/pgp-signature attachment: stored

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]