by Timo Juhani Lindfors

2008-04-05 15:59:48

Abstract

Timo Juhani Lindfors has dicovered vulnerabilities in OpenSSH that allows attackers to hijack forwarded X connections. A security update is now availlable on openssh.com.

Exploit & Code

Successfully exploiting this issue may allow an attacker run arbitrary shell commands with the privileges of the user running the affected application.

This issue affects OpenSSH 4.3p2; other versions may also be affected.

NOTE: This issue affects the portable version of OpenSSH and may not affect OpenSSH running on OpenBSD.

Exploit:
A specific exploit is not required. The attacker would only need to listen to port 6010 with a program such as VNC or NC.

Solution:
Updates are available. Please see the references for more information.

OpenBSD OpenBSD 4.3
OpenBSD 002_openssh2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/002_openssh2.patc h

OpenBSD OpenBSD 4.1
OpenBSD 016_openssh2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/016_openssh2.patc h

OpenBSD OpenBSD 4.2
OpenBSD 011_openssh2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/011_openssh2.patc h

OpenSSH OpenSSH 4.3p2
OpenSSH openssh-3.9p1-skip-used.patch
http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1- skip-used.patch?rev=1.1&view=markup

References

Keywords

openBSD
openSSH