The OpenSSH <=6.8 X11 SECURITY bug

ssh -X

MIT-MAGIC-COOKIE-1

ssh -X

When connecting to the SSH server, the SSH client registers a new MIT magic cookie with lifetime ForwardX11Timeout (default: 20 minutes) with the X server. This cookie is subject to X11 SECURITY restrictions. I'm going to call this the restricted cookie from now on.

(default: 20 minutes) with the X server. This cookie is subject to X11 SECURITY restrictions. I'm going to call this the restricted cookie from now on. When connecting to the SSH server, the SSH client creates a dummy cookie that looks like an MIT magic cookie. It sends this string to the SSH server, and X clients on the SSH server have to send the dummy cookie when authenticating to the X server through SSH. The SSH client verifies the correctness of the dummy cookie, then replaces it with the restricted cookie before forwarding the authentication request to the X server. Here is some crappy ASCII art of the information flow: +----------+ restricted cookie +-----+ SSH tunnel +------+ dummy cookie +----------+ | X server |<--------------------| ssh |<-------------->| sshd |<---------------| X client | +----------+ +-----+ +------+ +----------+ replaces | ^ cookie | | | +---------------+ | --->| ~/.Xauthority |------ +---------------+ stores dummy cookie

ForwardX11Timeout

victim (SSH client) connects to attacker (SSH server) with ssh -X attacker waits 19.5 minutes attacker opens an X11 connection to the SSH server, the SSH server requests creation of a new X11 channel over the SSH connection, the SSH client connects to the X server attacker waits 1 minute, timeout expires, X server forgets about the restricted cookie. SSH client allows no new X11 channels anymore attacker sends authentication request with dummy cookie, SSH client sends authentication request with restricted cookie, X server doesn't recognize cookie and allows connection through implicit authentication attacker interacts with X server without being subject to X SECURITY restrictions

_xcb_get_auth_info

ssh -X