Bug#525435: X11 forwarding points $DISPLAY at reusable resource

To: submit@bugs.debian.org
Subject: Bug#525435: X11 forwarding points $DISPLAY at reusable resource
From: Brian Ristuccia <brian@ristuccia.com>
Date: Fri, 24 Apr 2009 10:55:08 -0400
Message-id: <[🔎] 20090424145508.GJ28216@osiris.978.org>
Reply-to: Brian Ristuccia <brian@ristuccia.com>, 525435@bugs.debian.org

Package: openssh-server

When logging in with X11 forwarding enabled, $DISPLAY environment variable
may outlive the forwarding socket it points at. As a result, X11 clients may
eventually open a socket controlled by another user and display on the wrong
screen with potential security implications.

To reproduce:

  $ ssh -X importantuser@somemachine
  somemachine$ echo $DISPLAY
  localhost:10.0
  somemachine$ screen -S longlasting -d -m 
  somemachine$ logout

  $ Xserver :1
  $ export DISPLAY=:1 
  $ xauth + # Make the target X server accept any clients
  $ ssh -R 6010:localhost:6001 peon@somemachine sleep 10d

Later, the important user or their long-running process launches some X
client. It shows up on the display controlled by peon:

  $ ssh -X importantuser@somemachine
  $ echo $DISPLAY
  localhost:23.0
  $ screen -r longlasting
  $ echo $DISPLAY
  localhost:10.0
  $ xterm

Potential fixes:

* sshd should use unix domain sockets instead of TCP, and should leave the
  socket file behind when the user logs out to prevent reuse.

* X11 clients should authenticate the server in addition to the other way
  around (maybe requires fundamental changes in xlib)

-- 
Brian Ristuccia
brian@ristuccia.com

Reply to:

Prev by Date: Bug#525335: No way to reenable Nagle
Next by Date: Bug#295731: marked as done (ssh fails to bind link-scope IPv6 addresses)
Previous by thread: Processed: Re: Bug#525335: No way to reenable Nagle
Next by thread: Bug#295731: marked as done (ssh fails to bind link-scope IPv6 addresses)
Index(es):
- Date
- Thread