Bug 1464

Summary:

"possible hijacking of X11-forwarded connections" bug has not been fixed completely

Product:

Portable OpenSSH

Reporter:

sway <sway2004009>

Component:

sshd

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

security

CC:

dtucker

Priority:

Version:

5.0p1

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

1452

Attachments:

Description	Flags
Don't set SO_REUSEADDR for X11UseLocalhost=no	none

Description sway 2008-05-16 12:41:57 AEST

Hi OpenSSH team,
 
I am still able to reproduce this problem with openssh50 code both on hpux.
Seems like OpenSSH didn't fix this problem completely.
 
how to reproduce:
 
1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753 unlimited-user license
2. sshd_config
X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no                // must not use "yes" to bind to localhost
3. /opt/ssh/sbin/sshd
 
4. log to sshpa4 from another terminal with normal user "sway" and start "nc"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...
5. logon to sshpa4 with another "leanne" with X11 forwarding
leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0
leanne at sshpa4# netstat -an|grep 6010tcp        0      0  16.157.129.223.6010    *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTEN
6. user sway2 starts any X program will end with being hijacked by user "sway"
leanne at sshpa4# xclock
7. hijacked by user "sway"
 
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to [16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B MIT-MAGIC-COOKIE-1Öbs«¨¼ÓŠG‘‘›!ƒÂ
 
 
I found that this problem could only happen when the "X11UseLocalhost no" is set in the sshd_config.
 
I checked the code, found that there might be something wrong with the "channel_set_reuseaddr(sock);" function which is called in the function x11_create_display_inet in file channels.c
 
Can someone check this out for me , thanks.

Comment 1 Damien Miller 2008-05-20 10:22:56 AEST

Created attachment 1504 [details]
Don't set SO_REUSEADDR for X11UseLocalhost=no

So this turns out to be a sysv stupidity. BSD derived systems perform a permission check when attempting a bind() with SO_REUSEADDR set: if a previous bind() to that port has been made, then additional bind()s to the same port must come from the same user, or root. sysv-ish systems (including Linux) lack this mechanism.

Since we can't rely on sane semantics, this patch turns off SO_REUSEADDR when setting up the X11 listeners for non-loopback binds. The downside of this is a greater likelihood of port exhaustion in the range (6010-7009) that SSH is prepared to bind on, since ports in TIME_WAIT will no longer be candidates for listeners.

Please test.

Comment 2 Damien Miller 2008-05-20 12:46:53 AEST

Put this on the 5.1 list

Comment 3 Darren Tucker 2008-06-12 07:58:40 AEST

The patch has been applied and will be in tomorrow's snapshot (http://www.mindrot.org/openssh_snap/).

Could you please confirm?  Thanks.

Comment 4 Damien Miller 2008-07-22 12:22:25 AEST

Mass update RESOLVED->CLOSED after release of openssh-5.1