Re: SSH and reverse port forwarding

From: Ian Gregory (
Date: 05/13/02

From: (Ian Gregory)
Date: 13 May 2002 10:12:04 GMT

Simon Tatham wrote:

>But the big question is, why was that malicious user able to bind to
>port 6000 in the first place? Surely the real X server should
>already have been listening on it?

Easy, note that Xsun listens on *.6000

ihg0(515)$ netstat -an|grep 6000
      *.6000 *.* 0 0 24576 0 LISTEN

So I can bind something else to localhost.6000

ihg0(512)$ nc -l -s localhost -p 6000 localhost 2 &

hg0(513)$ netstat -a|grep 6000
      *.6000 *.* 0 0 24576 0 LISTEN
localhost.6000 *.* 0 0 24576 0 LISTEN

The problem is that Xsun ONLY binds to the wildcard. For security
it should perhaps bind to every configured interface.

On the other hand, when using X forwarding, Xsun does not need to
listen on any interfaces (even localhost) because all forwarded
connections end up connecting locally to the UNIX domain socket

Unfortunately there is no way to tell Xsun NOT to listen on *.6000

Ian Gregory
Systems and Applications Manager
Learning and Information Services
University of Hertfordshire