OpenSSH Security Advisory: xauth command injection
Nico Kadel-Garcia
nkadel at gmail.com
Thu Mar 10 23:54:32 AEDT 2016
On Thu, Mar 10, 2016 at 7:10 AM, Damien Miller <djm at openbsd.org> wrote:
> OpenSSH Security Advisory: x11fwd.adv
>
> This document may be found at: http://www.openssh.com/txt/x11fwd.adv
>
> 1. Affected configurations
>
> All versions of OpenSSH prior to 7.2p2 with X11Forwarding
> enabled.
>
> 2. Vulnerability
>
> Missing sanitisation of untrusted input allows an
> authenticated user who is able to request X11 forwarding
> to inject commands to xauth(1).
Ouch.
I'm just trying to figure out under what normal circumstances a
connection with X11 forwarding enabled wouldn't be owned by a user who
already has normal system privileges for ssh, sftp, and scp access. I
suppose it might be an unexpected filesystem access if someone's
public SSH keys are tied to a "ForceCommand" option to run some X
based application in $HOME/.ssh/authorized_keys, and that is actually
relied on to limit access on the SSH server.
And, of course, there is an XKCD cartoon about sanitizing inputs.
https://xkcd.com/327/
More information about the openssh-unix-dev
mailing list