Bug 1464 - "possible hijacking of X11-forwarded connections" bug has not been fixed completely
Summary: "possible hijacking of X11-forwarded connections" bug has not been fixed comp...
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.0p1
Hardware: All All
: P1 security
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_5_1
  Show dependency treegraph
 
Reported: 2008-05-16 12:41 AEST by sway
Modified: 2008-07-22 12:22 AEST (History)
1 user (show)

See Also:

Attachments
Don't set SO_REUSEADDR for X11UseLocalhost=no (1.72 KB, patch)
2008-05-20 10:22 AEST, Damien Miller 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sway 2008-05-16 12:41:57 AEST 
Hi OpenSSH team,
 
I am still able to reproduce this problem with openssh50 code both on hpux.
Seems like OpenSSH didn't fix this problem completely.
 
how to reproduce:
 
1. root at sshpa4# uname -aHP-UX sshpa4 B.11.23 U 9000/800 3267743753 unlimited-user license
2. sshd_config
X11Forwarding yesX11DisplayOffset 10X11UseLocalhost no                // must not use "yes" to bind to localhost
3. /opt/ssh/sbin/sshd
 
4. log to sshpa4 from another terminal with normal user "sway" and start "nc"
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...
5. logon to sshpa4 with another "leanne" with X11 forwarding
leanne at sshpa4# echo $DISPLAY16.157.129.223:10.0
leanne at sshpa4# netstat -an|grep 6010tcp        0      0  16.157.129.223.6010    *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTENtcp        0      0  *.6010                 *.*                     LISTEN
6. user sway2 starts any X program will end with being hijacked by user "sway"
leanne at sshpa4# xclock
7. hijacked by user "sway"
 
sway at sshpa4# /opt/netcat/bin/nc -l -p 6010 -v -v -s sshpa4.chn.hp.comlistening on [16.157.129.223] 6010 ...connect to [16.157.129.223] from sshpa4.chn.hp.com [16.157.129.223] 54765B MIT-MAGIC-COOKIE-1Öbs«¨¼ÓŠG‘‘›!ƒÂ
 
 
I found that this problem could only happen when the "X11UseLocalhost no" is set in the sshd_config.
 
I checked the code, found that there might be something wrong with the "channel_set_reuseaddr(sock);" function which is called in the function x11_create_display_inet in file channels.c
 
Can someone check this out for me , thanks.
Comment 1 Damien Miller 2008-05-20 10:22:56 AEST 
Created attachment 1504 [details]
Don't set SO_REUSEADDR for X11UseLocalhost=no

So this turns out to be a sysv stupidity. BSD derived systems perform a permission check when attempting a bind() with SO_REUSEADDR set: if a previous bind() to that port has been made, then additional bind()s to the same port must come from the same user, or root. sysv-ish systems (including Linux) lack this mechanism.

Since we can't rely on sane semantics, this patch turns off SO_REUSEADDR when setting up the X11 listeners for non-loopback binds. The downside of this is a greater likelihood of port exhaustion in the range (6010-7009) that SSH is prepared to bind on, since ports in TIME_WAIT will no longer be candidates for listeners.

Please test.
Comment 2 Damien Miller 2008-05-20 12:46:53 AEST 
Put this on the 5.1 list
Comment 3 Darren Tucker 2008-06-12 07:58:40 AEST 
The patch has been applied and will be in tomorrow's snapshot (http://www.mindrot.org/openssh_snap/).

Could you please confirm?  Thanks.
Comment 4 Damien Miller 2008-07-22 12:22:25 AEST 
Mass update RESOLVED->CLOSED after release of openssh-5.1