Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] ssh/x11 forwarding disclosure
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Fri, 8 Sep 2000 15:14:45 -0500

hrm... Does SSH honor $TMPDIR?  I'm using Evil Win2000 at work
right now, and can't get to my UNIX boxes at home.  Anyone care
to see what the story is on this.   Also, anyone know what else
/tmp/ssh-username messes with?  Will it disable -L port:host:port
or -R port:host:port, too?

I use a dynamic $TMPDIR setup, where each login session gets a
tmpdir (uses the PID of the shell as part of the directory name),
so I don't know if SSH is going to use that instead of /tmp.

-----Original Message-----
From: Riley Hassell [mailto:riley () SPEAKEASY NET]
Sent: Friday, September 08, 2000 3:07 PM
Subject: Re: ssh/x11 forwarding disclosure

If you make a directory in /tmp called
ssh-username you can disable another users X-forwarding.

Lame isn't it.


  Riley Hassell
  Network Security
  Speakeasy Network
  Phone : 206-728-9770x151
  Email : riley () speakeasy net

On Thu, 7 Sep 2000, Frasnelli, Dan wrote:

The flames are licking up my mailbox, so I submit this
in my defense.

I recognized the mistake below after sending it and tried to stop
the post.. this account was set for 'auto-approval' without my
knowledge.  I apologize for the confusion.. read on below.

Yes it is.  Read the man page and pull out your sniffer to look at what
is actually happening on the wire.

Right.  My brain said 'unauthenticated' while my fingers typed something
else.  Stupid and distracted me.

- a remote user can 'spy' on an ssh session under certain
  circumstances by reading off those ports (ie. xkey).

This is only a problem if the X server is configured to allow an
unauthenticated remote user to connect.  At that point it is certainly
true that any apps displayed over the tunnel and any xterms containing
ssh sessions can be watched.  But it isn't an ssh issue.  ssh can't
protect against stupidity.

Thats how it should work, right.


A "feature" was discovered by myself and a security consultant
last year in the x11 forwarding code of ssh.  A report was
sent to Data Fellows (under NDA, no it is not available).
Its not my position to say whether they agreed or not
with our findings.  The feature does not affect
recent f-sec ssh releases (1.3.7, 2.x).

The findings:
1. At least two 1.2.x releases allowed an arbitrary number
   of unauth connections to the forwarded x11 display
   (6001,6010+/tcp) from the client machine.
   Any user on the same system can use xkey to compromise
   confidentiality of ssh sessions established by the victim.
   In a real-world scenario, this is difficult to exploit; the
   intruder is already in your network, at which point you're
   screwed anyhow.

2. For releases <1.2.27, it is sometimes possible to kill an
   ssh session by sending a syn to its x11 forwarded port.
   Our tests indicated a hit/miss of ~5:10.  Later releases
   rejected the packet and displayed an error to the user.

Tested server platform was Solaris 2.6/sparc, with clients
ranging from OpenBSD to Linux.  For all I know, the
Solaris boxes were misconfigured and the findings aren't
duplicable.  We thought of it as a neat 'trick' but
little more.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]