Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] ssh/x11 forwarding disclosure
From: "Frasnelli, Dan" <dfrasnel () COREWAR COM>
Date: Thu, 7 Sep 2000 22:24:18 -0400

The flames are licking up my mailbox, so I submit this
in my defense.

I recognized the mistake below after sending it and tried to stop
the post.. this account was set for 'auto-approval' without my
knowledge.  I apologize for the confusion.. read on below.

Yes it is.  Read the man page and pull out your sniffer to look at what
is actually happening on the wire.

Right.  My brain said 'unauthenticated' while my fingers typed something
else.  Stupid and distracted me.

- a remote user can 'spy' on an ssh session under certain
  circumstances by reading off those ports (ie. xkey).

This is only a problem if the X server is configured to allow an
unauthenticated remote user to connect.  At that point it is certainly
true that any apps displayed over the tunnel and any xterms containing
ssh sessions can be watched.  But it isn't an ssh issue.  ssh can't
protect against stupidity.

Thats how it should work, right.


A "feature" was discovered by myself and a security consultant
last year in the x11 forwarding code of ssh.  A report was
sent to Data Fellows (under NDA, no it is not available).
Its not my position to say whether they agreed or not
with our findings.  The feature does not affect
recent f-sec ssh releases (1.3.7, 2.x).

The findings:
1. At least two 1.2.x releases allowed an arbitrary number
   of unauth connections to the forwarded x11 display
   (6001,6010+/tcp) from the client machine.
   Any user on the same system can use xkey to compromise
   confidentiality of ssh sessions established by the victim.
   In a real-world scenario, this is difficult to exploit; the
   intruder is already in your network, at which point you're
   screwed anyhow.

2. For releases <1.2.27, it is sometimes possible to kill an
   ssh session by sending a syn to its x11 forwarded port.
   Our tests indicated a hit/miss of ~5:10.  Later releases
   rejected the packet and displayed an error to the user.

Tested server platform was Solaris 2.6/sparc, with clients
ranging from OpenBSD to Linux.  For all I know, the
Solaris boxes were misconfigured and the findings aren't
duplicable.  We thought of it as a neat 'trick' but
little more.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]