[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#525435: X11 forwarding points $DISPLAY at reusable resource

Package: openssh-server

When logging in with X11 forwarding enabled, $DISPLAY environment variable
may outlive the forwarding socket it points at. As a result, X11 clients may
eventually open a socket controlled by another user and display on the wrong
screen with potential security implications.

To reproduce:

  $ ssh -X importantuser@somemachine
  somemachine$ echo $DISPLAY
  somemachine$ screen -S longlasting -d -m 
  somemachine$ logout

  $ Xserver :1
  $ export DISPLAY=:1 
  $ xauth + # Make the target X server accept any clients
  $ ssh -R 6010:localhost:6001 peon@somemachine sleep 10d

Later, the important user or their long-running process launches some X
client. It shows up on the display controlled by peon:

  $ ssh -X importantuser@somemachine
  $ echo $DISPLAY
  $ screen -r longlasting
  $ echo $DISPLAY
  $ xterm

Potential fixes:

* sshd should use unix domain sockets instead of TCP, and should leave the
  socket file behind when the user logs out to prevent reuse.

* X11 clients should authenticate the server in addition to the other way
  around (maybe requires fundamental changes in xlib)

Brian Ristuccia

Reply to: