4838985 2000-02-26 00:55 /78 rader/ Postmaster
Mottagare: Bugtraq (import) <9970>
Ärende: SSH & xauth
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5
protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2"
User-Agent: Mutt/1.1.2i
X-PGP-FINGERPRINT: 4AB7 A021 1E73 E140 3BFE C6ED 69CF F512 9874 403C
X-PGP-Keys: Send mail with subject "get pgp key"
Message-ID: <20000224173135.A4478@ruff.cs.jmu.edu>
Date: Thu, 24 Feb 2000 17:31:35 -0500
Reply-To: Brian Caswell <cazz@RUFF.CS.JMU.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Brian Caswell <cazz@RUFF.CS.JMU.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
The default SSH configuration for SSH1 and SSH2 allow for remote
controlling of X sessions through X forwarding.
All children of the SSH connection are able to tunnel X11 sessions
through the X tunnel to the client X11 session. This is accomplished
by running xauth upon logging in.
If xauth is replaced on the server by a malicious program that does=20
both of the following:
- runs xauth, adding in the "correct" information allowing the
children of the session to tunnel X11 programs through the SSH
session
- runs xauth, adding in the "malicious" information, allowing a
malicious source to tunnel X11 programs through the SSH session.
With the added data in .Xauthority, a malicious source can fully
control=20 the client X session. The malicious source can then do
most anything to the X session, from logging keystrokes of the X
session, to taking screen captures, to typing in commands to open
terminals. =20
The only thing that is required for the client system to be
compromised=20 is for the client to remotely log via ssh (with X11
forwarding enabled)=20 into a compromised server.
Allowing X forwarding seems to be turned on by default in SSH1,
SSH2,=20 and OpenSSH.
To fix this "issue" add the following lines to the SSH client
configuration. ($HOME/.ssh/config or ssh_config)
Host *
ForwardX11 no
Discussions of security flaws within X11 have been going on for
years. =20 The "issue" in SSH X11 forwarding is not new. SSH has
added to the=20 security of X11, but by no means does the use of SSH
secure X11.
--=20
Brian Caswell <cazz@ruff.cs.jmu.edu> =20
If I could load the world into vi, the first command I would use is:
%s/Windows NT//gi
--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4tbFHac/1Eph0QDwRAoL5AJ9p/DedW7QzcYJiuSuBSjdqVo9zPQCgid6n
gnUCAorTStQc4OTT+7gg72A=
=3kz7
-----END PGP SIGNATURE-----
--UlVJffcvxoiEqYs2--
(4838985) ------------------------------------------(Ombruten)