Multiple SSH Client X11 Forwarding Information Disclosure

2000-11-13T14:13:18
ID OSVDB:2114
Type osvdb
Reporter Jacob Langseth(jwl@pobox.com)
Modified 2000-11-13T14:13:18

Description

Vulnerability Description

OpenSSH's ssh client contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker attempts to gain acess to the X11 display of the client, which will be incorrectly permitted. This will disclose user desktop and keystroke information, resulting in a loss of confidentiality.

Technical Description

The problem occurs in the OpenSSH Client. The client does not sufficiently check for the X11 forwarding options after an SSH session has been negotiated. This allows the server end of the SSH session to gain access to this resource on the client side. This could result in a malicious server gaining access to the X11 display and remotely watching the desktop and keystokes.

Solution Description

Upgrade to version 2.3.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by unsetting the $DISPLAY and $SSH_AUTH_SOCK environment variables.

Short Description

OpenSSH's ssh client contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker attempts to gain acess to the X11 display of the client, which will be incorrectly permitted. This will disclose user desktop and keystroke information, resulting in a loss of confidentiality.

Manual Testing Notes

Telnet Target IP Port 22. If returned header shows openssh version older than 2.3.0 system may be vulnerable.

References:

Vendor Specific Solution URL: http://www.openbsd.com/errata27.html#sshforwarding Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Related OSVDB ID: 6248 Nessus Plugin ID:11343 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-11/0195.html ISS X-Force ID: 5517 CVE-2000-1169 CERT VU: 363181 Bugtraq ID: 1949