Re: SSH and reverse port forwarding

From: Ian Gregory (I.H.Gregory@herts.ac.uk)
Date: 05/13/02


From: I.H.Gregory@herts.ac.uk (Ian Gregory)
Date: 13 May 2002 10:12:04 GMT

Simon Tatham wrote:

>But the big question is, why was that malicious user able to bind to
>port 6000 in the first place? Surely the real X server should
>already have been listening on it?

Easy, note that Xsun listens on *.6000

ihg0(515)$ netstat -an|grep 6000
      *.6000 *.* 0 0 24576 0 LISTEN

So I can bind something else to localhost.6000

ihg0(512)$ nc -l -s localhost -p 6000 localhost 2 &

hg0(513)$ netstat -a|grep 6000
      *.6000 *.* 0 0 24576 0 LISTEN
localhost.6000 *.* 0 0 24576 0 LISTEN

The problem is that Xsun ONLY binds to the wildcard. For security
it should perhaps bind to every configured interface.

On the other hand, when using X forwarding, Xsun does not need to
listen on any interfaces (even localhost) because all forwarded
connections end up connecting locally to the UNIX domain socket
/tmp/.X11-unix/X0

Unfortunately there is no way to tell Xsun NOT to listen on *.6000

-- 
Ian Gregory
Systems and Applications Manager
Learning and Information Services
University of Hertfordshire



Relevant Pages

  • RE: Bind Listening on port 32768
    ... Bind Listening on port 32768 ... This is kde-init that is running on port 32768 ... This worked perfectly in solving the listening "kdeinit" at port 32768. ... Get email alerts & NEW webcam video instant messaging with Yahoo! ...
    (Focus-Linux)
  • RE: Diagnostic help part 2
    ... it's possible that BIND just isn't listening on the interface or perhaps ... you're filtering the inbound queries. ... Is your BIND server behind a firewall? ... TCP service for queries is specified ...
    (comp.protocols.dns.bind)
  • Re: BIND running setuid with interface changes
    ... I am running a VPN gateway, where interfaces come and go frequently. ... set up BIND so that it listens on all interfaces. ... It seems that, instead of listening on a wildcard IPv4 address (*:53, ...
    (freebsd-net)
  • Re: Bind and volatile interfaces
    ... down, without restarting bind 9? ... you can add this address to a permanent interface such as the loopback interface lo or a dummy address: ... Another method on an IPv6-capable system is to enable listening on IPv6 with the option 'listen-on-v6'. ... By default the IPv6 sockets will also accept IPv4 queries on any local IPv4 address, although this may hang some versions of BIND on some systems. ...
    (alt.os.linux)
  • Re: Bind Listening on port 32768
    ... Are you sure it is bind that is listening? ... Try shutting down bind to see if it is still lisenting on port 32768 ... Get email alerts & NEW webcam video instant messaging with Yahoo! ...
    (Focus-Linux)