From owner-freebsd-security  Mon Nov 13 15: 1:55 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id CE85537B479
	for <freebsd-security@freebsd.org>; Mon, 13 Nov 2000 15:01:50 -0800 (PST)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA19836
	for <freebsd-security@freebsd.org>; Mon, 13 Nov 2000 15:01:50 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda19834; Mon Nov 13 15:01:37 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eADN1WW17740
	for <freebsd-security@freebsd.org>; Mon, 13 Nov 2000 15:01:32 -0800 (PST)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdU17734; Mon Nov 13 15:00:56 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.1/8.9.1) id eADN0tf12406
	for <freebsd-security@freebsd.org>; Mon, 13 Nov 2000 15:00:55 -0800 (PST)
Message-Id: <200011132300.eADN0tf12406@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdy12395; Mon Nov 13 15:00:48 2000
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.1.1-RELEASE
X-Sender: cy
To: freebsd-security@freebsd.org
Subject: OpenSSH Security Advisory (adv.fwd) (fwd)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 13 Nov 2000 15:00:48 -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Would it be possible to apply the patch in the following advisory 
before 4.2 is released?


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC            


------- Forwarded Message

[headers removed]
Message-ID: <20001113211318.A27132@folly>
Date: Mon, 13 Nov 2000 21:13:18 +0100
Reply-To: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Markus Friedl <markus.friedl@INFORMATIK.UNI-ERLANGEN.DE>
Subject: OpenSSH Security Advisory (adv.fwd)
X-To: misc@openbsd.org, security-announce@openbsd.org,
              openssh-unix-dev@mindrot.org
X-cc: openssh@openssh.com
To: BUGTRAQ@SECURITYFOCUS.COM
Resent-To: cy@passer.osg.gov.bc.ca
Resent-Date: Mon, 13 Nov 2000 14:41:11 -0800
Resent-From: Cy Schubert <cschuber@osg.gov.bc.ca>

Hostile servers can force OpenSSH clients to do agent or X11 forwarding

1. Systems affected:

	All versions of OpenSSH prior to 2.3.0 are affected.

2. Description:

        If agent or X11 forwarding is disabled in the ssh client
        configuration, the client does not request these features
        during session setup.  This is the correct behaviour.

        However, when the ssh client receives an actual request
        asking for access to the ssh-agent, the client fails to
        check whether this feature has been negotiated during session
        setup.  The client does not check whether the request is in
        compliance with the client configuration and grants access
        to the ssh-agent.  A similar problem exists in the X11
        forwarding implementation.

3. Impact:

	Hostile servers can access your X11 display or your ssh-agent.

4. Short Term Solution:

	Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable
	before connecting to untrusted hosts:

		% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

5. Solution:

	Upgrade to OpenSSH-2.3.0 or apply the attached patch.
	OpenSSH-2.3.0 is available from www.openssh.com.

6. Credits:

        Thanks to Jacob Langseth <jwl@pobox.com> for pointing
        out the X11 forwarding issue.

Appendix:

Patch against openssh-2.2.0

- --- /openssh-2.2.0/clientloop.c	Sun Aug 20 00:21:19 2000
+++ ssh/clientloop.c	Fri Nov 10 13:54:42 2000
@@ -32,6 +32,8 @@
 #include "buffer.h"
 #include "bufaux.h"

+extern Options options;
+
 /* Flag indicating that stdin should be redirected from /dev/null. */
 extern int stdin_null_flag;

@@ -750,7 +752,6 @@
 int
 client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 {
- -	extern Options options;
 	double start_time, total_time;
 	int len;
 	char buf[100];
@@ -993,7 +994,7 @@
 	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
 	    ctype, rchan, rwindow, rmaxpack);

- -	if (strcmp(ctype, "x11") == 0) {
+	if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
 		int sock;
 		char *originator;
 		int originator_port;
@@ -1066,11 +1067,14 @@
 	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_co
nfirmation);
 	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure
);
 	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
- -	dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
 	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
 	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
 	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
- -	dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+
+	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+	    &auth_input_open_request : NULL);
+	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+	    &x11_input_open : NULL);
 }
 void
 client_init_dispatch_15()

------- End of Forwarded Message





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message