[Bug 803] Security Bug: X11 Forwarding is more powerful than it needs to be.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Feb 28 14:24:55 EST 2004 

http://bugzilla.mindrot.org/show_bug.cgi?id=803

           Summary: Security Bug: X11 Forwarding is more powerful than it
                    needs to be.
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: ssh
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: holger at van-lengerich.de


Hi,

I just played a little bit with xauth and I thought I should drop a note in here:

Brief SSH X11 forwarding history:

1995 Tatu Ylönen releases ssh v1.0.0 including the X11 Forwarding feature

1996 Security extensions were defined for X11
     http://www.xfree86.org/~herrb/security.pdf

1997 Ulrich Flegel determines that X11 forwarding 
     ftp://ftp.dfn-cert.de/pub/docs/crypt/ssh-x11.ps.gz
      
     in response Alan Cox suggested that X11 Security Extensions may be used
     to limit the access of remote applications to the local X11 server

2004 X11 Forwarding is as dangerous as it was 1995:
     - keylogging (even though "secure keyboard" is used in 
       (xterm|ssh-agent|xscreensaver)
     - I was able to attach a X0vncserver process on an forwarded X-display 
       and got complete remote control.
     - screenshots of root window is possible through 'xwd' or ImageMagick's
       'import'

Time for a change isn't it? :)

I am able to implement Alan Cox's suggestion with 3 lines in a shell:
--- 8< ---
# transfer 'trusted' cookie to new file:
xauth extract - $DISPLAY | xauth -f $HOME/.sshXauthority merge -
# replace 'trusted' cookie with 'untrusted' cookie
xauth -f .sshXauthority generate $DISPLAY . untrusted
# tell applications where to get the untrusted cookie
export XAUTHORITY=$HOME/.sshXauthority
--- >8 ---

An attacker on the remote host is no more able to 
log keystrokes, taking screenshots or do remote control stuff.

So please consider:

-  mentioning the possibility of crippling access rights to the Xserver with 
   xauth in the manpage of ssh / ssh_config

or better:

-  modify SSH client to generate an untrusted cookie on its own and 
   using it for forwarded X11 requests. Of course there should be 
   possibility for choosing between 'trusted' or 'untrusted' X11 forwarding.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list