[513] in Best-of-Security
BoS: Re: Xauthority hijacking
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Thu Dec 25 14:03:04 1997
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Cc: fruitbat@ccnet.com (Chris Moll), ssh@clinet.fi
Date: Tue, 04 Nov 1997 20:12:22 -0500
From: Steven Bellovin <smb@research.att.com>
Old-X-Originally-To: To: cs@zip.com.au
Old-X-Originated-From: From: Steven Bellovin <smb@research.att.com>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
fruitbat@ccnet.com (Chris Moll) writes:
| This may be obvious to others but it only just dawned on me:
| If I ssh to a non-trusted machine with Xforwarding on, root on that
| machine [...]
| connect back to my machine and capture keystrokes. [...]
| (What I'm really concerned about is machines where root is compromised,
| not logging into machines whose legitimate owner is out to get me...)
If root is comprimised you have worse problems than X being spoofed.
The sshd software can be a trojan and capture everything you do,
spoofing X or tty input, capturing passwords and phrases (which you may
have thought concealed by the encryption layer) etc etc. Root doesn't
need to read your .Xauthority - it can, with a trojaned sshd, insert things
directly into the X stream and your client ssh will do the spoofing for him.
He can forge tty output for you and trick you into revealing things. Etc.
The .Xauthority file isn't much in the way of security. With root comprimised
it's a tiny ripple on the immense tsunami of possible attacks.
Root being compromised on a machine to which you've logged in compromises all
of your activity on that machine. The problem with the .Xauthority attack -- or,
as you note, any other way of sabotaging X forwarding to that machine -- is that
X can be used to penetrate the originating machine, too.
