exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

openssh.forwarding.txt

openssh.forwarding.txt
Posted Nov 15, 2000
Site openssh.com

All versions of the OpenSSH ssh client prior to 2.3.0 have a vulnerability which allows malicious OpenSSH servers to turn on port forwarding even if it is disabled in the client configuration, allowing hostile servers can access your X11 display or your ssh-agent. Newest version available here.

tags | exploit
SHA-256 | 88a6f152715ed2102ed19a929d57f787c9dc819200cd2d44c5c2953c5a65bd70

openssh.forwarding.txt

Change Mirror Download
Hostile servers can force OpenSSH clients to do agent or X11 forwarding

1. Systems affected:

All versions of OpenSSH prior to 2.3.0 are affected.

2. Description:

If agent or X11 forwarding is disabled in the ssh client
configuration, the client does not request these features
during session setup. This is the correct behaviour.

However, when the ssh client receives an actual request
asking for access to the ssh-agent, the client fails to
check whether this feature has been negotiated during session
setup. The client does not check whether the request is in
compliance with the client configuration and grants access
to the ssh-agent. A similar problem exists in the X11
forwarding implementation.

3. Impact:

Hostile servers can access your X11 display or your ssh-agent.

4. Short Term Solution:

Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable
before connecting to untrusted hosts:

% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

5. Solution:

Upgrade to OpenSSH-2.3.0 or apply the attached patch.
OpenSSH-2.3.0 is available from www.openssh.com.

6. Credits:

Thanks to Jacob Langseth <jwl@pobox.com> for pointing
out the X11 forwarding issue.

Appendix:

Patch against openssh-2.2.0

--- /openssh-2.2.0/clientloop.c Sun Aug 20 00:21:19 2000
+++ ssh/clientloop.c Fri Nov 10 13:54:42 2000
@@ -32,6 +32,8 @@
#include "buffer.h"
#include "bufaux.h"

+extern Options options;
+
/* Flag indicating that stdin should be redirected from /dev/null. */
extern int stdin_null_flag;

@@ -750,7 +752,6 @@
int
client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
{
- extern Options options;
double start_time, total_time;
int len;
char buf[100];
@@ -993,7 +994,7 @@
debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
ctype, rchan, rwindow, rmaxpack);

- if (strcmp(ctype, "x11") == 0) {
+ if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
int sock;
char *originator;
int originator_port;
@@ -1066,11 +1067,14 @@
dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_con
firmation);
dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure)
;
dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
- dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
- dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+
+ dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+ &auth_input_open_request : NULL);
+ dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+ &x11_input_open : NULL);
}
void
client_init_dispatch_15()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close