OpenSSH Client Unauthorized Remote Forwarding Vulnerability

Bugtraq ID:	1949
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Nov 13 2000 12:00AM
Updated:	Nov 13 2000 12:00AM
Credit:	This vulnerability was first annouced on BugTraq by Markus Friedl <[email protected]> on November 13, 2000.
Vulnerable:	OpenBSD OpenSSH 2.2 .x + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 + FreeBSD FreeBSD 5.0 + FreeBSD FreeBSD 4.2 + FreeBSD FreeBSD 4.1.1 + HP HP-UX 11.11 + Mandriva Linux Mandrake 7.2 + Mandriva Linux Mandrake 7.1 + Mandriva Linux Mandrake 7.0 + NetBSD NetBSD 1.4.2 + OpenBSD OpenBSD 2.8 + OpenBSD OpenBSD 2.7 + Redhat Linux 7.0 + Sun Solaris 8_sparc + SuSE Linux 7.0 + Trustix Trustix Secure Linux 1.1 + Trustix Trustix Secure Linux 1.0
Not Vulnerable:

OpenSSH Client Unauthorized Remote Forwarding Vulnerability

OpenSSH is a free implementation of the SSH protocol. The OpenSSH software package is maintained primarily by OpenBSD Project. A vulnerability exists which can allow an attacker unauthorized access to restricted resources.

The problem occurs in the OpenSSH Client. The client does not sufficiently check for the ssh-agent and X11 forwarding options after an SSH session has been negotiated. This allows the server end of the SSH session to gain access to either of these two resources on the client side. This could result in a malicious server gaining access to the X11 display and remotely watching the desktop and keystokes. This problem can also allow a malicious server access to the local ssh-agent.

OpenSSH Client Unauthorized Remote Forwarding Vulnerability

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

OpenSSH Client Unauthorized Remote Forwarding Vulnerability

Solution:
The short term solution is unsetting the $DISPLAY and $SSH_AUTH_SOCK environment variables.

An upgrade that fixes the problem is available:


OpenBSD OpenSSH 2.2 .x

• Debian 2.2 alpha ssh-askpass-gnome_1.2.3-9.1_alpha.deb
  http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh- askpass-gnome_1.2.3-9.1_alpha.deb


• Debian 2.2 alpha ssh_1.2.3-9.1_alpha.deb
  http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_ 1.2.3-9.1_alpha.deb


• Debian 2.2 arm ssh-askpass-gnome_1.2.3-9.1_arm.deb
  http://security.debian.org/dists/stable/updates/main/binary-arm/ssh-as kpass-gnome_1.2.3-9.1_arm.deb


• Debian 2.2 arm ssh_1.2.3-9.1_arm.deb
  http://security.debian.org/dists/stable/updates/main/binary-arm/ssh_1. 2.3-9.1_arm.deb


• Debian 2.2 i386 ssh-askpass-gnome_1.2.3-9.1_i386.deb
  http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-a skpass-gnome_1.2.3-9.1_i386.deb


• Debian 2.2 i386 ssh_1.2.3-9.1_i386.deb
  http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1 .2.3-9.1_i386.deb


• Debian 2.2 m68k ssh-askpass-gnome_1.2.3-9.1_m68k.deb
  http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-a skpass-gnome_1.2.3-9.1_m68k.deb


• Debian 2.2 m68k ssh_1.2.3-9.1_m68k.deb
  http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1 .2.3-9.1_m68k.deb


• Debian 2.2 ppc ssh-askpass-gnome_1.2.3-9.1_powerpc.deb
  http://security.debian.org/dists/stable/updates/main/binary-powerpc/ss h-askpass-gnome_1.2.3-9.1_powerpc.deb


• Debian 2.2 ppc ssh_1.2.3-9.1_powerpc.deb
  http://security.debian.org/dists/stable/updates/main/binary-powerpc/ss h_1.2.3-9.1_powerpc.deb


• Debian 2.2 source openssh_1.2.3-9.1.diff.gz
  http://security.debian.org/dists/stable/updates/main/source/openssh_1. 2.3-9.1.diff.gz


• Debian 2.2 source openssh_1.2.3-9.1.dsc
  http://security.debian.org/dists/stable/updates/main/source/openssh_1. 2.3-9.1.dsc


• Debian 2.2 source openssh_1.2.3.orig.tar.gz
  http://security.debian.org/dists/stable/updates/main/source/openssh_1. 2.3.orig.tar.gz


• FreeBSD openssh.patch
  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch


• FreeBSD ports-3 i386 openssh-2.2.0.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/securit y/openssh-2.2.0.tgz


• FreeBSD ports-4 alpha openssh-2.2.0.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/securi ty/openssh-2.2.0.tgz


• FreeBSD ports-4 i386 openssh-2.2.0.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/securit y/openssh-2.2.0.tgz


• FreeBSD ports-5 alpha openssh-2.2.0.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/secur ity/openssh-2.2.0.tgz


• FreeBSD ports-5 i386 openssh-2.2.0.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/securi ty/openssh-2.2.0.tgz


• MandrakeSoft 7.0 i386 openssh-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.0/RPMS/openssh-2 .3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.0 i386 openssh-askpass-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.0/RPMS/openssh-a skpass-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.0 i386 openssh-askpass-gnome-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.0/RPMS/openssh-a skpass-gnome-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.0 i386 openssh-clients-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.0/RPMS/openssh-c lients-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.0 i386 openssh-server-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.0/RPMS/openssh-s erver-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.0 source openssh-2.3.0p1-7.3mdk.src.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.0/SRPMS/openssh- 2.3.0p1-7.3mdk.src.rpm


• MandrakeSoft 7.1 i386 openssh-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.1/RPMS/openssh-2 .3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.1 i386 openssh-askpass-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.1/RPMS/openssh-a skpass-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.1 i386 openssh-askpass-gnome-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.1/RPMS/openssh-a skpass-gnome-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.1 i386 openssh-clients-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.1/RPMS/openssh-c lients-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.1 i386 openssh-server-2.3.0p1-7.3mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.1/RPMS/openssh-s erver-2.3.0p1-7.3mdk.i586.rpm


• MandrakeSoft 7.1 source openssh-2.3.0p1-7.3mdk.src.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.1/SRPMS/openssh- 2.3.0p1-7.3mdk.src.rpm


• MandrakeSoft 7.2 i386 openssh-2.3.0p1-7.1mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.2/RPMS/openssh-2 .3.0p1-7.1mdk.i586.rpm


• MandrakeSoft 7.2 i386 openssh-askpass-2.3.0p1-7.1mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.2/RPMS/openssh-a skpass-2.3.0p1-7.1mdk.i586.rpm


• MandrakeSoft 7.2 i386 openssh-askpass-gnome-2.3.0p1-7.1mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.2/RPMS/openssh-a skpass-gnome-2.3.0p1-7.1mdk.i586.rpm


• MandrakeSoft 7.2 i386 openssh-clients-2.3.0p1-7.1mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.2/RPMS/openssh-c lients-2.3.0p1-7.1mdk.i586.rpm


• MandrakeSoft 7.2 i386 openssh-server-2.3.0p1-7.1mdk.i586.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.2/RPMS/openssh-s erver-2.3.0p1-7.1mdk.i586.rpm


• MandrakeSoft 7.2 source openssh-2.3.0p1-7.1mdk.src.rpm
  ftp://download.sourceforge.net/pub/mirrors/mandrake/7.2/SRPMS/openssh- 2.3.0p1-7.1mdk.src.rpm


• OpenBSD openssh-2.3.0.tgz
  ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-2.3.0.tgz


• OpenBSD openssh-2.3.0p1.tar.gz
  ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-2.3.0p1.tar .gz


• Red Hat Inc. 7.0 alpha openssh-2.3.0p1-4.alpha.rpm
  ftp://updates.redhat.com/7.0/alpha/openssh-2.3.0p1-4.alpha.rpm


• Red Hat Inc. 7.0 alpha openssh-askpass-2.3.0p1-4.alpha.rpm
  ftp://updates.redhat.com/7.0/alpha/openssh-askpass-2.3.0p1-4.alpha.rpm


• Red Hat Inc. 7.0 alpha openssh-askpass-gnome-2.3.0p1-4.alpha.rpm
  ftp://updates.redhat.com/7.0/alpha/openssh-askpass-gnome-2.3.0p1-4.alp ha.rpm


• Red Hat Inc. 7.0 alpha openssh-clients-2.3.0p1-4.alpha.rpm
  ftp://updates.redhat.com/7.0/alpha/openssh-clients-2.3.0p1-4.alpha.rpm


• Red Hat Inc. 7.0 alpha openssh-server-2.3.0p1-4.alpha.rpm
  ftp://updates.redhat.com/7.0/alpha/openssh-server-2.3.0p1-4.alpha.rpm


• Red Hat Inc. 7.0 i386 openssh-2.3.0p1-4.i386.rpm
  ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm


• Red Hat Inc. 7.0 i386 openssh-askpass-2.3.0p1-4.i386.rpm
  ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm


• Red Hat Inc. 7.0 i386 openssh-askpass-gnome-2.3.0p1-4.i386.rpm
  ftp://updates.redhat.com/7.0/i386/openssh-askpass-gnome-2.3.0p1-4.i386 .rpm


• Red Hat Inc. 7.0 i386 openssh-clients-2.3.0p1-4.i386.rpm
  ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm


• Red Hat Inc. 7.0 i386 openssh-server-2.3.0p1-4.i386.rpm
  ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm

OpenSSH Client Unauthorized Remote Forwarding Vulnerability

References: