Re: SSH and reverse port forwarding

From: Simon Tatham (
Date: 05/13/02

From: Simon Tatham <>
Date: 13 May 2002 09:02:47 +0100 (BST)

David Oberbeck <> wrote:
> I have confirmed this. It appears that if a malicious user sets up
> port 6000 as a reverse forwarded port, and another user misconfigures
> their DISPLAY variable, the malicious user could end up with the
> mis-configured user's X session and app(s).

But the big question is, why was that malicious user able to bind to
port 6000 in the first place? Surely the real X server should
already have been listening on it?

> I am surprised that the X forwarding does not seem to check the
> permissions of the individual doing the reverse forwarding.

But this isn't an X forwarding issue. If you (as a malicious user)
can ask an SSH server to bind to port 6000 on your behalf, then you
could just as easily log in and run a small _program_ that bound to
port 6000. Even something as simple as nc. Are you saying that _all_
programs that can bind to ports should be careful to refuse to bind
to port 6000? And even if so, what if the malicious user compiles
his own?

Ultimately, the problem is that port 6000 is bindable by users at
all, not that the SSH server in particular fails to refuse to bind
it. This is why most general services on Unix machines are on port
numbers below 1024 - so that users _can't_ bind them and pretend to
be the real services. Failing that, the other option is to keep port
6000 permanently bound (by the real X server) so that malicious user
programs can't bind it themselves.

I still don't see why this has anything to do with SSH, though. At
worst it's a Unix security flaw, or perhaps an X flaw.

Simon Tatham         "Happiness is having a large, warm, loving,
<>    caring, close-knit family in another city."

Relevant Pages