|
Firewall Wizards
mailing list archives
Re: X11 forwarding
From: Brian Hatch <firewall-wizards () ifokr org>
Date: Fri, 23 Aug 2002 16:50:49 -0700
How much of a security problem is X11 forwarding? I see CERT recommends
using a version that allows this to be turned off, but doesn't specifically
recommend that X11 forwarding be disabled.
Say you connect from your machine running X11 with:
jdoe () home$ ssh -X remote_server
remote_server password:
jdoe () remote_server$
Then you can display X11 apps on your home machine that start on the
remote server:
jdoe () remote_server$ echo $DISPLAY
:10.0
jdoe () remote_server$ xclock
(display appears on your desktop)
By setting the correct enviroment variables, root can do this too:
root () remote_server# export HOME=/home/jdoe
root () remote_server# export DISPLAY=:10.0
(replace with correct display number)
root () remote_server# xclock
(display appears on your desktop)
The problem is that X11 gives much more access than just popping
windows on your screen, such as snagging every event (mouse click,
keypress, etc) on your X11 desotkop. If you don't trust root on
remote_server, then you shouldn't allow X11 forwarding to it.
root () remote_server# xwd -root > jdoe.screenshot.xwd
root () remote_server# xkey
(whatever user types appears here...)
--
Brian Hatch I admire your bad
Systems and qualities and I
Security Engineer wouldn't have you
www.buildinglinuxvpns.net part with a single one
Every message PGP signed
Attachment:
_bin
Description:
 By Date 
By Thread
Current thread:
- RE: New Script Kiddie tool ?, (continued)
|
Intro
