[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Hostile server OpenSSH agent/X11 forwarding

Title: Hostile server OpenSSH agent/X11 forwarding
Released by: FreeBSD
Date: 15th January 2001
Printable version: Click here


FreeBSD-SA-01:01                                           Security Advisory

                                                                FreeBSD, Inc.

Topic:          Hostile server OpenSSH agent/X11 forwarding

Category:       core/ports

Module:         openssh

Announced:      2001-01-15

Credits:        Markus Friedl 

Affects:        FreeBSD 4.1.1-STABLE prior to the correction date

                Ports collection prior to the correction date

Corrected:      2000-11-14

Vendor status:  Updated version released

FreeBSD only:   NO

I.   Background

OpenSSH is an implementation of the SSH1 and SSH2 secure shell

protocols for providing encrypted and authenticated network access,

which is available free for unrestricted use. Versions of OpenSSH are

included in the FreeBSD ports collection and the FreeBSD base system.

II.  Problem Description

To quote the OpenSSH Advisory:

    If agent or X11 forwarding is disabled in the ssh client

    configuration, the client does not request these features

    during session setup.  This is the correct behaviour.

    However, when the ssh client receives an actual request

    asking for access to the ssh-agent, the client fails to

    check whether this feature has been negotiated during session

    setup.  The client does not check whether the request is in

    compliance with the client configuration and grants access

    to the ssh-agent.  A similar problem exists in the X11

    forwarding implementation.

All versions of FreeBSD 4.x prior to the correction date including

FreeBSD 4.1 and 4.1.1 are vulnerable to this problem, but it was

corrected prior to the release of FreeBSD 4.2.  For users of FreeBSD

3.x, OpenSSH is not installed by default, but is part of the FreeBSD

ports collection.

The base system and ports collections shipped with FreeBSD 4.2 do not

contain this problem since it was discovered before the release.

III. Impact

Hostile SSH servers can access your X11 display or your ssh-agent when

connected to, which may allow access to confidential data or other

network accounts, through snooping of password or keying material

through the X11 session, or reuse of the SSH credentials obtained

through the SSH agent.

IV.  Workaround

Clear both the $DISPLAY and $SSH_AUTH_SOCK variables before connecting

to untrusted hosts. For example, in Bourne shell syntax:

% unset SSH_AUTH_SOCK; unset DISPLAY; ssh host

V.   Solution

Upgrade the vulnerable system to 4.1.1-STABLE or 4.2-STABLE after the

correction date, or patch your current system source code and rebuild.

To patch your present system: download the patch from the below

location and execute the following commands as root:

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch.asc

Verify the detached PGP signature using your PGP utility.

# cd /usr/src/crypto/openssh

# patch < /path/to/openssh.patch

# cd /usr/src/secure/lib/libssh

# make depend && make all

# cd /usr/src/secure/usr.bin/ssh

# make depend && make all install

[Ports collection]

One of the following:

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package dated after the

correction date, obtained from:






NOTE: Due to an oversight the package version was not updated after

the security fix was applied, so be sure to install a package created

after the correction date.

3) download a new port skeleton for the OpenSSH port from:


and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The

portcheckout port is available in /usr/ports/devel/portcheckout or the

package can be obtained from:







Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org







(C) 1999-2000 All rights reserved.