openssh bugs - Apr 2014 - [Bug 2222] New: GatewayPorts=no should not rewrite localhost addresses in port-forward requests

https://bugzilla.mindrot.org/show_bug.cgi?id=2222

            Bug ID: 2222
           Summary: GatewayPorts=no should not rewrite localhost addresses
                    in port-forward requests
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: hanwenn at gmail.com

If GatewayPorts = no, then forwarding a port listener for a given port
(ssh -R option), will disregard the address field in the request, and
expand the address number with getaddrinfo().

getaddrinfo() will expand the localhost address as IPv6 and IPv4 in
some order, and sshd returns success if listening on either address
succeeded, without mentioning the address being used.

If other services are listening on only IPv4 (but not IPv6), this may
lead to a situation where a request for forwarding 127.0.0.1:PORTNUMBER
succeeds, but the forwarded port is only on [::1]:PORT-NUMBER. 

This is confusing (we spent a couple of days debugging the fallout of
this). Moreover, if the sshd is running on a multi-user system, a
malicious user may use this to intercept or modify the traffic over the
forwarded port.

Suggested fix: do not call discard the incoming address in
channel_setup_fwd_listener() if it is either 127.0.0.1 or ::1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2222

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2419
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2419&action=edit
Allow explicit IPv4/IPv6 localhost address regardless of GatewayPorts

Something like this diff should do what you want, but I need to think
through if there are any consequences.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2222

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2226
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2222

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Patch applied - this will be in openssh-6.7. Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2222

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all bugs left open from 6.6 and 6.7 releases.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.