Advisories : OpenSSH Security Advisory

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : OpenSSH Security Advisory

Title:	OpenSSH Security Advisory
Released by:
Date:	13th November 2000
Printable version:	Click here

Hostile servers can force OpenSSH clients to do agent or X11 forwarding



1. Systems affected:



All versions of OpenSSH prior to 2.3.0 are affected.



2. Description:



        If agent or X11 forwarding is disabled in the ssh client

        configuration, the client does not request these features

        during session setup.  This is the correct behaviour.



        However, when the ssh client receives an actual request

        asking for access to the ssh-agent, the client fails to

        check whether this feature has been negotiated during session

        setup.  The client does not check whether the request is in

        compliance with the client configuration and grants access

        to the ssh-agent.  A similar problem exists in the X11

        forwarding implementation.



3. Impact:



Hostile servers can access your X11 display or your ssh-agent.



4. Short Term Solution:



Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable

before connecting to untrusted hosts:



% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host



5. Solution:



Upgrade to OpenSSH-2.3.0 or apply the attached patch.

OpenSSH-2.3.0 is available from www.openssh.com.



6. Credits:



        Thanks to Jacob Langseth  for pointing

        out the X11 forwarding issue.



Appendix:



Patch against openssh-2.2.0



--- /openssh-2.2.0/clientloop.c Sun Aug 20 00:21:19 2000

+++ ssh/clientloop.c Fri Nov 10 13:54:42 2000

@@ -32,6 +32,8 @@

 #include "buffer.h"

 #include "bufaux.h"



+extern Options options;

+

 /* Flag indicating that stdin should be redirected from /dev/null. */

 extern int stdin_null_flag;



@@ -750,7 +752,6 @@

 int

 client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)

 {

- extern Options options;

  double start_time, total_time;

  int len;

  char buf[100];

@@ -993,7 +994,7 @@

  debug("client_input_channel_open: ctype %s rchan %d win %d max %d",

      ctype, rchan, rwindow, rmaxpack);



- if (strcmp(ctype, "x11") == 0) {

+ if (strcmp(ctype, "x11") == 0 && options.forward_x11) {

  int sock;

  char *originator;

  int originator_port;

@@ -1066,11 +1067,14 @@

  dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);

  dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);

  dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);

- dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);

  dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);

  dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);

  dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);

- dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);

+

+ dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?

+     &auth_input_open_request : NULL);

+ dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?

+     &x11_input_open : NULL);

 }

 void

 client_init_dispatch_15()