Re: SSH and reverse port forwarding
From: David Oberbeck (dgo@spambegone.microsynetics.com)Date: 05/13/02
- Next message: Doug Moore: "Re: SSH and reverse port forwarding"
- Previous message: Bill Unruh: "stop clearscreen at end of sh session?"
- In reply to: Doug Moore: "SSH and reverse port forwarding"
- Next in thread: Simon Tatham: "Re: SSH and reverse port forwarding"
- Reply: Simon Tatham: "Re: SSH and reverse port forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: David Oberbeck <dgo@spambegone.microsynetics.com> Date: Sun, 12 May 2002 21:57:33 -0600
In <abjk5r$ht$1@slb0.atl.mindspring.net>, Doug Moore wrote:
> I have a question. I am wondering if anyone else has run across this feature or am
> I just poking around in parts of the program that no one goes.
>
> Using the reverse port forwarding feature of the SSH client and server I connect to
> my remote SSH server with the command: SSH R6000:localhost:6000 user@machine.com
> What this does for the users who dont recognize the syntax is when I am connected
> to the remote machine it will listen on port 6000 for traffic. If it sees traffic
> it will forward that traffic back through the SSH tunnel and send the traffic the
> my machine on port 6000.
>
> The HUGH security flaw that I am seeing here and have tested is that anyone that is
> logged into that machine with the DISPLAY environment variable set to localhost:0.0
> or just :0.0, when they start up a xclient application that traffic will come
> across to my machine even though I am not the user who started the xclient
> application.
>
> I have tested this and it works. I logged into a friends machine with my account.
> I listened on port 6000 with reverse port forwarding. I asked my friend to login
> to the machine and set his DISPLAY to localhost:0.0. I then asked him to start
> xterm. About 15 seconds later a xterm window popped up on my screen as his user. I
> then asked him to login to the same machine with root account, set the display, and
> start a xterm window. Again 15 seconds later I had a xterm window on my screen as
> the root user.
>
> Is this a feature or a security flaw?
>
> Doug Moore
Greetings to the List,
Firstly, it's very clear to me that the earlier two respondents
(Messrs Neil and Simon) to this thread (a) have not thought this
through, and (b) have not replicated the situation.
I have confirmed this. It appears that if a malicious user sets up
port 6000 as a reverse forwarded port, and another user misconfigures
their DISPLAY variable, the malicious user could end up with the
mis-configured user's X session and app(s). If that user was root
(which, granted, is relatively unlikely that a SA would misconfigure
their DISPLAY environment variable, but still possible) the malicious
user now has a root prompt on that system.
I am surprised that the X forwarding does not seem to check the
permissions of the individual doing the reverse forwarding.
Is there a way to prevent this?
Regards,
David
--"Entropy Requires No Maintenance"
- Next message: Doug Moore: "Re: SSH and reverse port forwarding"
- Previous message: Bill Unruh: "stop clearscreen at end of sh session?"
- In reply to: Doug Moore: "SSH and reverse port forwarding"
- Next in thread: Simon Tatham: "Re: SSH and reverse port forwarding"
- Reply: Simon Tatham: "Re: SSH and reverse port forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
