施威
2008-May-15 09:03 UTC
"possible hijacking of X11-forwarded connections" bug has not been fixed completely
leanneHi OpenSSH team, I am still able to reproduce this problem with openssh50 code both on hpux. Seems like OpenSSH didn't fix this problem completely. how to reproduce: 1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753 unlimited-user license 2. sshd_config X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no // must not use "yes" to bind to localhost 3. /opt/ssh/sbin/sshd 4. log to sshpa4 from another terminal with normal user "sway" and start "nc" sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ... 5. logon to sshpa4 with another "leanne" with X11 forwarding leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0 leanne at sshpa4# netstat -an|grep 6010tcp 0 0 16.157.129.223.6010 *.* LISTENtcp 0 0 *.6010 *.* LISTENtcp 0 0 *.6010 *.* LISTENtcp 0 0 *.6010 *.* LISTEN 6. user sway2 starts any X program will end with being hijacked by user "sway" leanne at sshpa4# xclock 7. hijacked by user "sway" sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to [16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B MIT-MAGIC-COOKIE-1?bs?????G???!?? I found that this problem could only happen when the "X11UseLocalhost no" is set in the sshd_config. I checked the code, found that there might be something wrong with the "channel_set_reuseaddr(sock);" function which is called in the function x11_create_display_inet in file channels.c Can someone check this out for me , thanks. _________________________________________________________________ ???MSN??????????????????? http://mobile.msn.com.cn/
Darren Tucker
2008-May-15 12:08 UTC
"possible hijacking of X11-forwarded connections" bug has not been fixed completely
On Thu, May 15, 2008 at 05:03:06PM +0800, ?????? wrote:> > Hi OpenSSH team, > > I am still able to reproduce this problem with openssh50 code both on hpux. > Seems like OpenSSH didn't fix this problem completely. > > how to reproduce:[...]> I found that this problem could only happen when the "X11UseLocalhost > no" is set in the sshd_config. > > I checked the code, found that there might be something wrong with the > "channel_set_reuseaddr(sock);" function which is called in the function > x11_create_display_inet in file channels.cIt looks like the semantics of SO_REUSEADDR are different between platforms. From what I can gather, SysV based systems don't prevent processes with different uids from binding to the same port, whereas BSD and Linux based systems do. I'm also curious about why the loopback interface behaves differently. If you comment out the call, what difference does it make? It will probably also prevent use of ports that are still in TIME_WAIT, so it may reduce the number of ports available to sshd. Index: channels.c ==================================================================RCS file: /usr/local/src/security/openssh/cvs/openssh/channels.c,v retrieving revision 1.257 diff -u -p -r1.257 channels.c --- channels.c 2 Apr 2008 21:43:57 -0000 1.257 +++ channels.c 15 May 2008 11:36:34 -0000 @@ -2901,7 +2901,7 @@ x11_create_display_inet(int x11_display_ error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); } #endif - channel_set_reuseaddr(sock); + /* channel_set_reuseaddr(sock); */ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { debug2("bind port %d: %.100s", port, strerror(errno)); close(sock); -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Reasonably Related Threads
- [Bug 1464] New: "possible hijacking of X11-forwarded connections" bug has not been fixed completely
- "ServerAliveInterval" and "ServerAliveCountMax" doesnt work in openssh50?
- [Help] When one application internally invokes another applic ation?
- About bug 640857
- [Bug 52] ssh hangs on exit