Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ssh-xauth.txt

🗓️ 25 Feb 2000 00:00:00Reported by Brian CaswellType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

SSH configuration allows X11 session control, risks of malicious xauth replacement, disable X forwarding.

Code
`  
The default SSH configuration for SSH1 and SSH2 allow for remote  
controlling of X sessions through X forwarding.  
  
All children of the SSH connection are able to tunnel X11 sessions  
through the X tunnel to the client X11 session. This is accomplished  
by running xauth upon logging in.  
  
If xauth is replaced on the server by a malicious program that does=20  
both of the following:  
- runs xauth, adding in the "correct" information allowing the  
children of the session to tunnel X11 programs through the SSH  
session  
- runs xauth, adding in the "malicious" information, allowing a  
malicious source to tunnel X11 programs through the SSH session.  
  
With the added data in .Xauthority, a malicious source can fully control=20  
the client X session. The malicious source can then do most anything to  
the X session, from logging keystrokes of the X session, to taking  
screen captures, to typing in commands to open terminals. =20  
  
The only thing that is required for the client system to be compromised=20  
is for the client to remotely log via ssh (with X11 forwarding enabled)=20  
into a compromised server.  
  
Allowing X forwarding seems to be turned on by default in SSH1, SSH2,=20  
and OpenSSH.  
  
To fix this "issue" add the following lines to the SSH client  
configuration. ($HOME/.ssh/config or ssh_config)  
  
  
Host *  
ForwardX11 no  
  
  
Discussions of security flaws within X11 have been going on for years. =20  
The "issue" in SSH X11 forwarding is not new. SSH has added to the=20  
security of X11, but by no means does the use of SSH secure X11.  
  
--=20  
Brian Caswell <[email protected]> =20  
If I could load the world into vi, the first command I would use is:  
%s/Windows NT//gi  
  
--UlVJffcvxoiEqYs2  
Content-Type: application/pgp-signature  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.0.0 (GNU/Linux)  
Comment: For info see http://www.gnupg.org  
  
iD8DBQE4tbFHac/1Eph0QDwRAoL5AJ9p/DedW7QzcYJiuSuBSjdqVo9zPQCgid6n  
gnUCAorTStQc4OTT+7gg72A=  
=3kz7  
-----END PGP SIGNATURE-----  
  
--UlVJffcvxoiEqYs2--  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2000 00:00Current
7.4High risk
Vulners AI Score7.4
ssh configuration x11 forwarding xauth replacement malicious program session control security flaw client compromise openssh security
33