Actu
Vigil@nce: OpenSSH, X11 man in the middle
July 2008 by Vigil@nce
SYNTHESIS
A local attacker can capture X11 data on some systems such as
HP-UX.
Gravity: 1/4
Consequences: data reading
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 22/07/2008
Identifier: VIGILANCE-VUL-7960
IMPACTED PRODUCTS
– OpenSSH [confidential versions]
DESCRIPTION
The OpenSSH daemon can forward a X11 session. In order to do so, a
TCP service listens on an available port (such as 6010) and
transmits X11 data to the client via the SSH tunnel.
The X11UseLocalhost option of sshd indicates that the port 6010
has to listen only on IP 127.0.0.1 (default case). When this
option is set to "no", the port 6010 listens on all IP addresses
of the server.
A local attacker can first create a malicious service listening on
the port 6010 and for the IP address of the server only (for
example 192.168.1.1). When OpenSSH then tries to open the port
6010 with SO_REUSEADDR, most systems (BSD, Linux, OS X, Solaris)
refuse to open the port. However, HP-UX accepts that the attacker
listens on 192.168.1.1:6010, and that OpenSSH listens on *:6010.
The attacker can therefore capture X11 data.
A local attacker can thus capture sensitive data on HP-UX when
X11UseLocalhost is set to "no".
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-7960
