[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[debian-knoppix] Default configuration ssh-client "X11 Forwarding"

Hash: SHA1


Klaus Knopper asked me to discuss this issue on this mailinglist.

Short Version:
Please disable X11 Forwarding in the default configuration of the OpenSSH
client. (in /etc/ssh/ssh_config: ForwardX11 no)

Long Version:
In a paper, which will be released to the public shortly, I wrote the
following regarding X11 Forwarding:

- --- 8< ---
What is the vulnerability ...

When SSH is used to log in to an account on a remote host with X11 forwarding
enabled, the full control to the local desktop is given anybody who is able to
obtain the content of the X11 cookie as set by SSH on the remote host. Persons
which are able to obtain this very valuable cookie include

 * all persons wiht administrative/root access to the remote server

 * persons who use the same remote account as the SSH client

 * legimate users of the remote host, who get access to the content .Xauthority
   accidentily because of wrong file permissions or perhaps a core file of an
   crashed application is readable to anybody.

 * If you execute programs other legitimate accounts have write access to,
   they may easily introduce a trojan horse functionality to obtain the cookie.
   external attackers who managed to penetrate the remote server

... and why is it exploitable?

As X11 was not designed to shield one X client application from another
originally, any X client may take over full control of the X server at any
time. Through SSH X forwarding this weakness in the X protocol gets forwarded
to remote hosts, which are better not trusted in this way. Even though there
is a new security extension to the X Protocol which can easily be used to
restrict access to minimal set of resources, this feature is not used yet used
by all current SSH implementations.

The root cause for the exploitability is a misplaced trust relationship.
- --- >8 ---

As the effects of having X11 forwarding enabled unknowingly, are desastrous
(giving full remote control to an attacker), the decision to enable X11
forwarding will session must be made by the user himself.

As the distributor does not know anything about the trust relationship which
applies to the connection made by an user, a responsible distributor must not
decide to enable X11 forwarding by default.


- --
  Holger van Lengerich, Dipl.-Inf., GCIA       Telefónica Deutschland GmbH
  Security Manager                                http://www.telefonica.de
  mailto:hvl@telefonica.de             voice: +49 5246 80 -1220 fax: -2220
  GPG Key fingerprint = 2475 FB34 7AD6 60B3 E902  5B83 47D0 3FED 84EA 8E05
Version: GnuPG v1.2.4 (GNU/Linux)


debian-knoppix mailing list

Reply to: