Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: openss-2.htm

OpenSSH - hostile servers can access your X11 display or your ssh-agent



Vulnerability

    OpenSSH

Affected

    All versions of OpenSSH prior to 2.3.0 are affected.

Description

    Markus Friedl  found following.   If agent  or X11  forwarding  is
    disabled  in  the  ssh  client  configuration, the client does not
    request these features during session setup.  This is the  correct
    behaviour.

    However, when  the ssh  client receives  an actual  request asking
    for access  to the  ssh-agent, the  client fails  to check whether
    this  feature  has  been  negotiated  during  session  setup.  The
    client does not  check whether the  request is in  compliance with
    the client configuration  and grants access  to the ssh-agent.   A
    similar problem exists in the X11 forwarding implementation.

    Hostile servers can access your X11 display or your ssh-agent.

Solution

    Clear both  the $DISPLAY  and the  $SSH_AUTH_SOCK variable  before
    connecting to untrusted hosts:

        % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

    Upgrade   to   OpenSSH-2.3.0   or   apply   the   attached  patch.
    OpenSSH-2.3.0 is available from www.openssh.com.

    Patch against openssh-2.2.0:

    --- /openssh-2.2.0/clientloop.c	Sun Aug 20 00:21:19 2000
    +++ ssh/clientloop.c	Fri Nov 10 13:54:42 2000
    @@ -32,6 +32,8 @@
     #include "buffer.h"
     #include "bufaux.h"

    +extern Options options;
    +
     /* Flag indicating that stdin should be redirected from /dev/null. */
     extern int stdin_null_flag;

    @@ -750,7 +752,6 @@
     int
     client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
     {
    -	extern Options options;
 	    double start_time, total_time;
 	    int len;
 	    char buf[100];
    @@ -993,7 +994,7 @@
 	    debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
 	        ctype, rchan, rwindow, rmaxpack);

    -	if (strcmp(ctype, "x11") == 0) {
    +	if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
 		    int sock;
 		    char *originator;
 		    int originator_port;
    @@ -1066,11 +1067,14 @@
 	    dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
 	    dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
 	    dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
    -	dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
 	    dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
 	    dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
 	    dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
    -	dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
    +
    +	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
    +	    &auth_input_open_request : NULL);
    +	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
    +	    &x11_input_open : NULL);
     }
     void
     client_init_dispatch_15()

    For Linux-Mandrake:

        Linux-Mandrake 7.0: 7.0/RPMS/openssh-2.3.0p1-7.3mdk.i586.rpm
                            7.0/RPMS/openssh-askpass-2.3.0p1-7.3mdk.i586.rpm
                            7.0/RPMS/openssh-askpass-gnome-2.3.0p1-7.3mdk.i586.rpm
                            7.0/RPMS/openssh-clients-2.3.0p1-7.3mdk.i586.rpm
                            7.0/RPMS/openssh-server-2.3.0p1-7.3mdk.i586.rpm
                            7.0/SRPMS/openssh-2.3.0p1-7.3mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/openssh-2.3.0p1-7.3mdk.i586.rpm
                            7.1/RPMS/openssh-askpass-2.3.0p1-7.3mdk.i586.rpm
                            7.1/RPMS/openssh-askpass-gnome-2.3.0p1-7.3mdk.i586.rpm
                            7.1/RPMS/openssh-clients-2.3.0p1-7.3mdk.i586.rpm
                            7.1/RPMS/openssh-server-2.3.0p1-7.3mdk.i586.rpm
                            7.1/SRPMS/openssh-2.3.0p1-7.3mdk.src.rpm
        Linux-Mandrake 7.2: 7.2/RPMS/openssh-2.3.0p1-7.1mdk.i586.rpm
                            7.2/RPMS/openssh-askpass-2.3.0p1-7.1mdk.i586.rpm
                            7.2/RPMS/openssh-askpass-gnome-2.3.0p1-7.1mdk.i586.rpm
                            7.2/RPMS/openssh-clients-2.3.0p1-7.1mdk.i586.rpm
                            7.2/RPMS/openssh-server-2.3.0p1-7.1mdk.i586.rpm
                            7.2/SRPMS/openssh-2.3.0p1-7.1mdk.src.rpm

    For Trustix:

        openssh-2.3.0p1-1tr.i586.rpm
        openssh-clients-2.3.0p1-1tr.i586.rpm
        openssh-server-2.3.0p1-1tr.i586.rpm
        http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
        ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/

    For SuSE Linux:

        ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm
        ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm
        ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm
        ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm
        ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm
        ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm
        ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm
        ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm
        ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm
        ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssh-2.3.0p1-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-clients-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssh-server-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openssh-2.3.0p1-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-server-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openssh-2.3.0p1-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-server-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openssh-2.3.0p1-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-server-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openssh-2.3.0p1-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-server-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-clients-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-askpass-2.3.0p1-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssh-askpass-gnome-2.3.0p1-1cl.i386.rpm

    For RedHat:

        ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm
        ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm
        ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm
        ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm
        ftp://updates.redhat.com/7.0/i386/openssh-askpass-gnome-2.3.0p1-4.i386.rpm
        ftp://updates.redhat.com/7.0/SRPMS/openssh-2.3.0p1-4.src.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/openssh-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/openssh-2.2.0.tgz


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH