[Bug 3695] X11 forwarding via UNIX socket instead of 127.0.0.1

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Aug 9 22:31:29 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3695

--- Comment #1 from kolAflash at kolahilft.de ---
Recent developments:

https://lwn.net/Articles/984838/
> 0.0.0.0 Day:
> Exploiting Localhost APIs From the Browser (Oligo Security)

Turns out Unix (Linux, macOS) maps requests to 0.0.0.0/32 also to
127.0.0.1.


WORKAROUND SSH:
Forward X via UNIX socket instead of IP. (bash code for Debian-12)

remote_disp="$(shuf -i1-10000 -n1)"

ssh -t -R /tmp/.X11-unix/X${remote_disp}:/tmp/.X11-unix/X"${DISPLAY:1}"
"${@}" env "DISPLAY=:${remote_disp}" bash -c "bash; rm -Iv
/tmp/.X11-unix/X${remote_disp}"


WORKAROUND BROWSER:
I'm now running my browser in a cgroup which I deny access to these
addresses. (bash code)

systemd-run --user --scope --slice=no_localhost_net WEBBROWSER

# run with $CMD "iptables" and "ip6tables"
# for $IP 127.0.0.0/8 and 0.0.0.0/32 and ::1/128
$IPTABLES -A OUTPUT -p tcp --destination $IP -m cgroup --path
'user.slice/user-${UID}.slice/user@${UID}.service/no_localhost_net.slice'
-j REJECT

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list