ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server)

[dfrasnel () ALPHALINUX ORG (Dan Frasnelli)]

> > Basically telneting into port 6000 of the server and typing in random
> > gibberish, brings it down.
This method of conducting a simple dos against unprotected X servers is
already well-known.  Most X servers for windows default to accepting all
connections to port 6000, making more than the MI/X software vulnerable.
Also, I do not think most pc X servers have cookies support - session
hijacking and snooping may be possible.

On the subject of denial of service attacks, ssh 1.2.26 has a nice one
associated with x11 forwarding.  Data Fellows, Ltd. were informed of this
and a second vulnerability (session confidentiality can be compromised by
a second user on the client machine) last month but did not respond.

Here is a quick overview:
- if $DISPLAY is set on the client machine and the remote server allows
  X11 forwarding (default), sshd will bind to an available port above
  6000 for each subsequent ssh session.
- On linux, the first port allocated is 6001 (:1.0); on solaris 2.6, the
  first is 6010 (:10.0).  The second ssh session w/x11 forwarding will
  bind 6002 under linux, 6011 under solaris, etc.  lsof is probably the
  best tool to use if you have access to both the server and client.
- A simple connect() via telnet or a portscanner to the forwarded X server
  from any remote host will kill the ssh session and any forwarded
  clients.
- Versions 1.2.27 and 2.x drop the connection and report the attempt.

I have fully documented this and the second vulnerability mentioned above,
but will give Data Fellows some more time to respond - the commercial
product is vulnerable to the second attack.  If we do not hear back from
them in a few days, the exploit documentation will be sent to this list.

Regards,
Dan