openssh bugs - May 2008 - [Bug 1464] New: "possible hijacking of X11-forwarded connections" bug has not been fixed completely

https://bugzilla.mindrot.org/show_bug.cgi?id=1464

           Summary: "possible hijacking of X11-forwarded connections"
bug
                    has not been fixed completely
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.0p1
          Platform: Other
        OS/Version: HP-UX
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: sway2004009 at hotmail.com


Hi OpenSSH team,

I am still able to reproduce this problem with openssh50 code both on
hpux.
Seems like OpenSSH didn't fix this problem completely.

how to reproduce:

1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753
unlimited-user license
2. sshd_config
X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no               
// must not use "yes" to bind to localhost
3. /opt/ssh/sbin/sshd

4. log to sshpa4 from another terminal with normal user "sway" and
start "nc"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s
sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...
5. logon to sshpa4 with another "leanne" with X11 forwarding
leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0
leanne at sshpa4# netstat -an|grep 6010tcp        0      0 
16.157.129.223.6010    *.*                     LISTENtcp        0     
0  *.6010                 *.*                     LISTENtcp        0   
  0  *.6010                 *.*                     LISTENtcp        0 
    0  *.6010                 *.*                     LISTEN
6. user sway2 starts any X program will end with being hijacked by user
"sway"
leanne at sshpa4# xclock
7. hijacked by user "sway"

sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s
sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to
[16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B
MIT-MAGIC-COOKIE-1?bs?????G???!??


I found that this problem could only happen when the "X11UseLocalhost
no" is set in the sshd_config.

I checked the code, found that there might be something wrong with the
"channel_set_reuseaddr(sock);" function which is called in the
function
x11_create_display_inet in file channels.c

Can someone check this out for me , thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1464


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
         AssignedTo|bitbucket at mindrot.org       |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2008-05-20
10:22:56 ---
Created an attachment (id=1504)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1504)
Don't set SO_REUSEADDR for X11UseLocalhost=no

So this turns out to be a sysv stupidity. BSD derived systems perform a
permission check when attempting a bind() with SO_REUSEADDR set: if a
previous bind() to that port has been made, then additional bind()s to
the same port must come from the same user, or root. sysv-ish systems
(including Linux) lack this mechanism.

Since we can't rely on sane semantics, this patch turns off
SO_REUSEADDR when setting up the X11 listeners for non-loopback binds.
The downside of this is a greater likelihood of port exhaustion in the
range (6010-7009) that SSH is prepared to bind on, since ports in
TIME_WAIT will no longer be candidates for listeners.

Please test.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1464


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Platform|Other                       |All
         OS/Version|HP-UX                       |All
             Blocks|                            |1452




--- Comment #2 from Damien Miller <djm at mindrot.org>  2008-05-20
12:46:53 ---
Put this on the 5.1 list

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1464


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
           Priority|P5                          |P1
                 CC|                            |dtucker at zip.com.au




--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  2008-06-12
07:58:40 ---
The patch has been applied and will be in tomorrow's snapshot
(http://www.mindrot.org/openssh_snap/).

Could you please confirm?  Thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1464


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #4 from Damien Miller <djm at mindrot.org>  2008-07-22
12:22:25 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.