TUCoPS :: Unix :: General
:: openss-2.htm
OpenSSH - hostile servers can access your X11 display or your ssh-agent
Vulnerability
OpenSSH
Affected
All versions of OpenSSH prior to 2.3.0 are affected.
Description
Markus Friedl found following. If agent or X11 forwarding is
disabled in the ssh client configuration, the client does not
request these features during session setup. This is the correct
behaviour.
However, when the ssh client receives an actual request asking
for access to the ssh-agent, the client fails to check whether
this feature has been negotiated during session setup. The
client does not check whether the request is in compliance with
the client configuration and grants access to the ssh-agent. A
similar problem exists in the X11 forwarding implementation.
Hostile servers can access your X11 display or your ssh-agent.
Solution
Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable before
connecting to untrusted hosts:
% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host
Upgrade to OpenSSH-2.3.0 or apply the attached patch.
OpenSSH-2.3.0 is available from www.openssh.com.
Patch against openssh-2.2.0:
--- /openssh-2.2.0/clientloop.c Sun Aug 20 00:21:19 2000
+++ ssh/clientloop.c Fri Nov 10 13:54:42 2000
@@ -32,6 +32,8 @@
#include "buffer.h"
#include "bufaux.h"
+extern Options options;
+
/* Flag indicating that stdin should be redirected from /dev/null. */
extern int stdin_null_flag;
@@ -750,7 +752,6 @@
int
client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
{
- extern Options options;
double start_time, total_time;
int len;
char buf[100];
@@ -993,7 +994,7 @@
debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
ctype, rchan, rwindow, rmaxpack);
- if (strcmp(ctype, "x11") == 0) {
+ if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
int sock;
char *originator;
int originator_port;
@@ -1066,11 +1067,14 @@
dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
- dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
- dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+
+ dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+ &auth_input_open_request : NULL);
+ dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+ &x11_input_open : NULL);
}
void
client_init_dispatch_15()
For Linux-Mandrake:
Linux-Mandrake 7.0: 7.0/RPMS/openssh-2.3.0p1-7.3mdk.i586.rpm
7.0/RPMS/openssh-askpass-2.3.0p1-7.3mdk.i586.rpm
7.0/RPMS/openssh-askpass-gnome-2.3.0p1-7.3mdk.i586.rpm
7.0/RPMS/openssh-clients-2.3.0p1-7.3mdk.i586.rpm
7.0/RPMS/openssh-server-2.3.0p1-7.3mdk.i586.rpm
7.0/SRPMS/openssh-2.3.0p1-7.3mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/openssh-2.3.0p1-7.3mdk.i586.rpm
7.1/RPMS/openssh-askpass-2.3.0p1-7.3mdk.i586.rpm
7.1/RPMS/openssh-askpass-gnome-2.3.0p1-7.3mdk.i586.rpm
7.1/RPMS/openssh-clients-2.3.0p1-7.3mdk.i586.rpm
7.1/RPMS/openssh-server-2.3.0p1-7.3mdk.i586.rpm
7.1/SRPMS/openssh-2.3.0p1-7.3mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/openssh-2.3.0p1-7.1mdk.i586.rpm
7.2/RPMS/openssh-askpass-2.3.0p1-7.1mdk.i586.rpm
7.2/RPMS/openssh-askpass-gnome-2.3.0p1-7.1mdk.i586.rpm
7.2/RPMS/openssh-clients-2.3.0p1-7.1mdk.i586.rpm
7.2/RPMS/openssh-server-2.3.0p1-7.1mdk.i586.rpm
7.2/SRPMS/openssh-2.3.0p1-7.1mdk.src.rpm
For Trustix:
openssh-2.3.0p1-1tr.i586.rpm
openssh-clients-2.3.0p1-1tr.i586.rpm
openssh-server-2.3.0p1-1tr.i586.rpm
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
For SuSE Linux:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssh-2.3.0p1-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-clients-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-server-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openssh-2.3.0p1-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-server-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openssh-2.3.0p1-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-server-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openssh-2.3.0p1-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-server-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openssh-2.3.0p1-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-server-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
For RedHat:
ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-askpass-gnome-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/SRPMS/openssh-2.3.0p1-4.src.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/openssh-2.2.0.tgz