Bug#463011: marked as done (ssh: unprivileged users may hijack forwarded X connections by listening on port 6010)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 22 Mar 2008 13:02:03 +0000
with message-id <E1Jd3MJ-00035g-8L@ries.debian.org>
and subject line Bug#463011: fixed in openssh 1:4.7p1-5
has caused the Debian Bug report #463011,
regarding ssh: unprivileged users may hijack forwarded X connections by listening on port 6010
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
463011: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ssh: unprivileged users may hijack forwarded X connections by listening on port 6010
• From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
• Date: Mon, 28 Jan 2008 23:40:27 +0200
• Message-id: <20080128214027.22627.85371.reportbug@sauna>

Package: ssh
Version: 1:4.3p2-9
Severity: normal
Tags: security

Steps to reproduce:
1) Malice logs to multiuser.example.com
2) Malice runs netcat -l -p 6010 -v -v
3) Alice logs to multuser.example.com and uses X11 forwarding (-X)
4) Alice starts emacs on the remote system (with X forwarding)

Expected results:
3) ssh sets DISPLAY to :11 since :10 would make emacs talk to Malice's
netcat.
4) emacs (xlib) sends MIT-MAGIC-COOKIE to $DISPLAY and Malice can't
see it.

Actual results:
3) ssh fails to listen on port 6010 with ipv4 localhost but does not
try other ports when it can listen using ipv6:

$ sudo netstat -alpn | grep 6010
tcp        0      0 0.0.0.0:6010            0.0.0.0:*               LISTEN     27820/netcat
tcp6       0      0 ::1:6010                :::*                    LISTEN     27823/15

Then ssh sets DISPLAY to ":10" without telling anybody that it is
actually listening only ipv6 and that malice controls the ipv4 port.

4) emacs (xlib) sends MIT-MAGIC-COOKIE to 127.0.0.1:6010 and malice's
   netcat can see it:

listening on [any] 6010 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 58986
lMIT-MAGIC-COOKIE-1...

More info:
1) It seems that specifying "AddressFamily inet" avoids the problem.

2) Easiest way to exploit this is to run "vncserver :10" and allow
anybody to connect to it. When alice starts her emacs it will open its
window to Malice's VNC server and Malice can type M-x shell to run
shell commands with privileges of alice. In fact, I initially hit this
bug when the number of VNC users reached 11 and :10 was no longer
available for ssh causing mysterious failures.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)

Versions of packages ssh depends on:
ii  openssh-client                1:4.3p2-9  Secure shell client, an rlogin/rsh
ii  openssh-server                1:4.3p2-9  Secure shell server, an rshd repla

ssh recommends no packages.

-- debconf information excluded

--- End Message ---

--- Begin Message ---

• To: 463011-close@bugs.debian.org
• Subject: Bug#463011: fixed in openssh 1:4.7p1-5
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 22 Mar 2008 13:02:03 +0000
• Message-id: <E1Jd3MJ-00035g-8L@ries.debian.org>

Source: openssh
Source-Version: 1:4.7p1-5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.7p1-5_i386.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.7p1-5_i386.udeb
openssh-client_4.7p1-5_i386.deb
  to pool/main/o/openssh/openssh-client_4.7p1-5_i386.deb
openssh-server-udeb_4.7p1-5_i386.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.7p1-5_i386.udeb
openssh-server_4.7p1-5_i386.deb
  to pool/main/o/openssh/openssh-server_4.7p1-5_i386.deb
openssh_4.7p1-5.diff.gz
  to pool/main/o/openssh/openssh_4.7p1-5.diff.gz
openssh_4.7p1-5.dsc
  to pool/main/o/openssh/openssh_4.7p1-5.dsc
ssh-askpass-gnome_4.7p1-5_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.7p1-5_i386.deb
ssh-krb5_4.7p1-5_all.deb
  to pool/main/o/openssh/ssh-krb5_4.7p1-5_all.deb
ssh_4.7p1-5_all.deb
  to pool/main/o/openssh/ssh_4.7p1-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463011@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 22 Mar 2008 12:37:00 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:4.7p1-5
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 463011 468563 471437
Changes: 
 openssh (1:4.7p1-5) unstable; urgency=low
 .
   * Recommends: xauth rather than Suggests: xbase-clients.
   * Document in ssh(1) that '-S none' disables connection sharing
     (closes: #471437).
   * Patch from Red Hat / Fedora:
     - SECURITY: Don't use X11 forwarding port which can't be bound on all
       address families, preventing hijacking of X11 forwarding by
       unprivileged users when both IPv4 and IPv6 are configured (closes:
       #463011).
   * Use printf rather than echo -en (a bashism) in openssh-server.config and
     openssh-server.preinst.
   * debconf template translations:
     - Update Finnish (thanks, Esko Arajärvi; closes: #468563).
Files: 
 ab0704790dd6cd1ed05c53acaa14618b 1104 net standard openssh_4.7p1-5.dsc
 de3876a70bacdad310f18fb41d50c900 187533 net standard openssh_4.7p1-5.diff.gz
 e882d86eee0e147f5e5c3692ea2c5aca 1040 net extra ssh_4.7p1-5_all.deb
 3cb62a15cd49e27929ac1371cebb9846 87866 net extra ssh-krb5_4.7p1-5_all.deb
 872c383e134dd329d23ab5323547736c 662368 net standard openssh-client_4.7p1-5_i386.deb
 f6ac89a0c92822ecd334a351c6de7ab8 245170 net optional openssh-server_4.7p1-5_i386.deb
 932310d414eaee6417206c08a351baed 95366 gnome optional ssh-askpass-gnome_4.7p1-5_i386.deb
 96618c089325bc509e85d079f7b8dd77 158528 debian-installer optional openssh-client-udeb_4.7p1-5_i386.udeb
 3aec92fd3244e7664eafd71d9f13d14c 169116 debian-installer optional openssh-server-udeb_4.7p1-5_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFH5QB79t0zAhD6TNERAsfeAJ90FkbUrNM7wALBx8Hwi7KQ9R2dtwCghuTQ
al33pNJ1Vj4L3i5zBwgEDt8=
=WXOA
-----END PGP SIGNATURE-----

--- End Message ---