[12161] in bugtraq
ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server)
daemon@ATHENA.MIT.EDU (Dan Frasnelli)
Fri Oct 8 15:48:03 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9910061043510.27372-100000@arsenic.theshell.com>
Date: Wed, 6 Oct 1999 11:23:31 -0700
Reply-To: Dan Frasnelli <dfrasnel@ALPHALINUX.ORG>
From: Dan Frasnelli <dfrasnel@ALPHALINUX.ORG>
X-To: Jim Frost <jimf@ATG.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <37FA421A.6E9A22AE@atg.com>
> > Basically telneting into port 6000 of the server and typing in random
> > gibberish, brings it down.
This method of conducting a simple dos against unprotected X servers is
already well-known. Most X servers for windows default to accepting all
connections to port 6000, making more than the MI/X software vulnerable.
Also, I do not think most pc X servers have cookies support - session
hijacking and snooping may be possible.
On the subject of denial of service attacks, ssh 1.2.26 has a nice one
associated with x11 forwarding. Data Fellows, Ltd. were informed of this
and a second vulnerability (session confidentiality can be compromised by
a second user on the client machine) last month but did not respond.
Here is a quick overview:
- if $DISPLAY is set on the client machine and the remote server allows
X11 forwarding (default), sshd will bind to an available port above
6000 for each subsequent ssh session.
- On linux, the first port allocated is 6001 (:1.0); on solaris 2.6, the
first is 6010 (:10.0). The second ssh session w/x11 forwarding will
bind 6002 under linux, 6011 under solaris, etc. lsof is probably the
best tool to use if you have access to both the server and client.
- A simple connect() via telnet or a portscanner to the forwarded X server
from any remote host will kill the ssh session and any forwarded
clients.
- Versions 1.2.27 and 2.x drop the connection and report the attempt.
I have fully documented this and the second vulnerability mentioned above,
but will give Data Fellows some more time to respond - the commercial
product is vulnerable to the second attack. If we do not hear back from
them in a few days, the exploit documentation will be sent to this list.
Regards,
Dan
