[vox-tech] X11 forward - used for hacking?

[Ken Herron]

--On Tuesday, June 08, 2004 16:38:31 -0700 Bill Kendrick <nbs at sonic.net> 
wrote:

>   Waiting for forwarded connections to terminate...
>   The following connections are open:
>     X11 connection from proxyscan.xs4all.nl port 11219

Given that the remote host is called "proxyscan", they seem to be 
operating in the open. Some IRC servers will scan clients (see 
<http://help.undernet.org/proxyscan/> for example), and some anti-spam 
tactics involve proxy-scanning hosts trying to send mail.


> Is there some way that the following connection could be made?
>
>   somewhere.nl --> isp --> melissa's laptop
>
> Where all Melissa did was:   ssh shell.isp.com  ?

Oh, sure. As I'm sure you know, X11 client-server connections normally 
run over TCP. When you connect to a remote host using ssh with X11 
forwarding, the ssh daemon on the remote system sets up an X11 listener 
port for clients to connect to. Depending on how the ssh daemon is 
configured, the X11 listener port can be confined to localhost, or it can 
be accessible over the network.

The X11 protocol includes a client authentication step. The ssh daemon 
handles this for clients connecting to the remote listening port. I don't 
know how (or if) this proxyscan host got past this step. It's possible 
they were waiting at some pre-authentication phase of the protocol, in 
which case they wouldn't have been able to do anything. Otherwise, they 
would have had the same access to your display as any other client (which 
is pretty serious from a security standpoint).

-- 
"Grand Funk Railroad paved the way for Jefferson Airplane, which cleared
the way for Jefferson Starship. The stage was now set for the Alan Parsons
Project, which I believe was some sort of hovercraft." - Homer Simpson

Kenneth Herron     Kenneth.Herron at mci.com     v658-5894     916-569-5894