SSH & xauth

From: Brian Caswell (cazzat_private)
Date: Thu Feb 24 2000 - 14:31:35 PST

Next message: Christophe GRENIER: "Re: Toshiba NoteBooks BIOS Password Backdoor - Password Cracker"

Previous message: Ussr Labs: "Local / Remote D.o.S Attack in InterAccess TelnetD Server Release"
Next in thread: Oliver Friedrichs: "Re: SSH & xauth"
Reply: Oliver Friedrichs: "Re: SSH & xauth"
Reply: David Terrell: "Re: SSH & xauth"
Reply: David Pybus: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Reply: Cy Schubert - ITSD Open Systems Group: "Re: SSH & xauth"
Reply: Andrey: "Re: SSH & xauth"
Reply: Theo de Raadt: "Re: SSH & xauth"
Reply: Lionel Cons: "Re: SSH & xauth"
Reply: Cy Schubert - ITSD Open Systems Group: "Re: SSH & xauth"
Reply: Brian: "Re: SSH & xauth"
Reply: Niels Provos: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

The default SSH configuration for SSH1 and SSH2 allow for remote
controlling of X sessions through X forwarding.

All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session.  This is accomplished
by running xauth upon logging in.

If xauth is replaced on the server by a malicious program that does=20
both of the following:
 - runs xauth, adding in the "correct" information allowing the
   children of the session to tunnel X11 programs through the SSH
   session
 - runs xauth, adding in the "malicious" information, allowing a
   malicious source to tunnel X11 programs through the SSH session.

With the added data in .Xauthority, a malicious source can fully control=20
the client X session.  The malicious source can then do most anything to
the X session, from logging keystrokes of the X session, to taking
screen captures, to typing in commands to open terminals. =20

The only thing that is required for the client system to be compromised=20
is for the client to remotely log via ssh (with X11 forwarding enabled)=20
into a compromised server.

Allowing X forwarding seems to be turned on by default in SSH1, SSH2,=20
and OpenSSH.

To fix this "issue" add the following lines to the SSH client
configuration.  ($HOME/.ssh/config or ssh_config)


	Host *
	  ForwardX11 no


Discussions of security flaws within X11 have been going on for years. =20
The "issue" in SSH X11 forwarding is not new.  SSH has added to the=20
security of X11, but by no means does the use of SSH secure X11.

--=20
Brian Caswell <cazzat_private> =20
If I could load the world into vi, the first command I would use is:
%s/Windows NT//gi

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4tbFHac/1Eph0QDwRAoL5AJ9p/DedW7QzcYJiuSuBSjdqVo9zPQCgid6n
gnUCAorTStQc4OTT+7gg72A=
=3kz7
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--

Next message: Christophe GRENIER: "Re: Toshiba NoteBooks BIOS Password Backdoor - Password Cracker"
Previous message: Ussr Labs: "Local / Remote D.o.S Attack in InterAccess TelnetD Server Release"
Next in thread: Oliver Friedrichs: "Re: SSH & xauth"
Reply: Oliver Friedrichs: "Re: SSH & xauth"
Reply: David Terrell: "Re: SSH & xauth"
Reply: David Pybus: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Reply: Cy Schubert - ITSD Open Systems Group: "Re: SSH & xauth"
Reply: Andrey: "Re: SSH & xauth"
Reply: Theo de Raadt: "Re: SSH & xauth"
Reply: Lionel Cons: "Re: SSH & xauth"
Reply: Cy Schubert - ITSD Open Systems Group: "Re: SSH & xauth"
Reply: Brian: "Re: SSH & xauth"
Reply: Niels Provos: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Reply: Robert Watson: "Re: SSH & xauth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:12 PDT