X11 forwarding over SSH - yet another loop-hole ?

[Damien Miller]

On Mon, 12 Feb 2007, Anand Srinivasan wrote:

> Hi,
> 
> I'm not sure if this is the right place to post this but I recently
> noticed something strange with X11 forwarding over SSH. I was running
> X11 on my Mac (OS X Server 10.4.8) and had two separate SSH sessions
> open to two different Linux boxes (I used the -Y flag). I started
> Firefox on the first box and then subsequently started Firefox on the
> second box. But instead of starting a new process on the second box a
> new process was spawned on the first box - I ran top to verify this
> and there was no Firefox process running on the second box, while
> there were two on the first ! I tried this a bunch of times and still
> the same thing happened. I believe this is a security loop-hole in the
> X11 forwarding over SSH. I've also tested this on a Windows box using
> putty and Xming(or any other X windows client) and still the same
> result. I would like to know if this problem has been addressed before
> and if so what is the solution to this. I have also tried connecting
> to the Linux boxes using the SSH -X flag and still the same result.
> Does this mean that -X is not really that secure when compared to -Y ?

Firefox does some funky X11 messaging to maintain one Firefox client
per X11 server. I.e. it will message a running client to open a new
window rather than starting a new client. Since this messaging happens
via X11, I don't think it matters whether or not the attempt to start
the second Firefox happens on the same machine.

I'm not seeing the loophole here...

-d