Re: SSH and reverse port forwarding

From: Ian Gregory (I.H.Gregory@herts.ac.uk)
Date: 05/13/02


From: I.H.Gregory@herts.ac.uk (Ian Gregory)
Date: 13 May 2002 10:12:04 GMT

Simon Tatham wrote:

>But the big question is, why was that malicious user able to bind to
>port 6000 in the first place? Surely the real X server should
>already have been listening on it?

Easy, note that Xsun listens on *.6000

ihg0(515)$ netstat -an|grep 6000
      *.6000 *.* 0 0 24576 0 LISTEN

So I can bind something else to localhost.6000

ihg0(512)$ nc -l -s localhost -p 6000 localhost 2 &

hg0(513)$ netstat -a|grep 6000
      *.6000 *.* 0 0 24576 0 LISTEN
localhost.6000 *.* 0 0 24576 0 LISTEN

The problem is that Xsun ONLY binds to the wildcard. For security
it should perhaps bind to every configured interface.

On the other hand, when using X forwarding, Xsun does not need to
listen on any interfaces (even localhost) because all forwarded
connections end up connecting locally to the UNIX domain socket
/tmp/.X11-unix/X0

Unfortunately there is no way to tell Xsun NOT to listen on *.6000

-- 
Ian Gregory
Systems and Applications Manager
Learning and Information Services
University of Hertfordshire