New Proposal for Section 11.3.3 X11 Forwarding

To: ietf-ssh%netbsd.org@localhost
Subject: New Proposal for Section 11.3.3 X11 Forwarding
From: Chris Lonvick <clonvick%cisco.com@localhost>
Date: Wed, 14 May 2003 13:27:01 -0700 (PDT)

Hi Folks,

I'm trying to work in all of the suggestions for improvements in the text.
It's a bit ungainly to put all of that in a single note so I'm separating
it into subsections.  Here's a rewrite of 11.3.3.  Below that is a
grouping of comments I've seen on this thread.  Please make comments on
this text.  Specific textual contributions will be especially appreciated.

Thanks,
Chris

==========================================================================


11.3.3 X11 Forwarding

   Another form of proxy forwarding provided by the ssh connection
   protocol is the forwarding of the X11 protocol.  If end-point security
   has been compromised, X11 forwarding may allow attacks against the X11
   server.  Users and administrators should, as a matter of course, use
   all available X11 security mechanisms to prevent unauthorized use of
   the X11 server.  Implementors, administrators and users who wish to
   further explore the security mechanisms of X11 are invited to read
   [SCHEIFLER] and analyze previously reported problems with the
   interactions between SSH forwarding and X11 in CERT vulnerabilities
   VU#363181 and VU#118892 [CERT].  Additionally, they are advised to
   review the problems found and the lessons learned in a paper by Wietse
   Venema [Venema] presented to the 6th USENIX Security Symposium.

   Implementors of the X11 forwarding protocol SHOULD implement the magic
   cookie access checking spoofing mechanism as described in [ssh-connect]
   as an additional mechanism to prevent unauthorized use of the proxy.


[SCHEIFLER]     Scheifler, R., "X Window System : The Complete
                Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd
                edition.", Digital Press ISBN 1555580882, February
                1992.

[CERT]     The CERT Coordination Center
           Software Engineering Institute
           Carnegie Mellon University
           Pittsburgh, PA 15213-3890
           U.S.A.
           ( http://www.cert.org/nav/index_red.html )

[ssh-connect]     ssh-connect ID to be replaced with the RFC information
                  when available

[Venema]     Wietse Venema, "Murphy's Law and Computer Security",
             Proceedings of 6th USENIX Security Symposium, San Jose, CA,
             July 1996.
http://www.usenix.org/publications/library/proceedings/sec96/venema.html


---Notes---

[RJA:  Which "X11 security mechanism" is meant ?
[RJA:  Also, please add a citation for that mechanism.

[JG:  Well, I didn't have a particular one in mind.  The
[JG:  advice is to use any X11 security mechanism.  I'd
[JG:  be willing to remove the paragraph.
[RJA:  I'd like to keep text encouraging folks to use as much
[RJA:  security as they can.  I'm not an expert on the security
[RJA:  properties of X11.  I was thinking that there probably were
[RJA:  some specific security mechanisms (e.g. my vague recollection
[RJA:  of the MIT-magic-cookie hack noted above) that we ought
[RJA:  to mention and cite.

---Nico---vv
Well, the MIT magic cookie approach is about the only one truly in use
and, IMO, it is sufficient for the purposes of SSHv2.
---Nico---^^

---Joseph---vv
I would suggest the following two citations for this
section:

[SCHEIFLER]     Scheifler, R., "X Window System : The Complete
                Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd
                edition.", Digital Press ISBN 1555580882, Feburary
                1992.

and

  draft-ietf-secsh-connect-16.txt, section 4.3.1.,
  "Requesting X11 Forwarding"
---Joseph---^^

---Nico---vv
Er, sure.  I'm not very familiar with the X11 standards, so I'm not sure
what would be a good reference.  Apparently X.ORG and the Open Group own
the X11 standards now.  A quick search through X.org and XFree86.org
yielded little conclusive information, but a further search finally
yielded:

http://www.xfree86.org/4.3.0/XStandards.7.html

Likely the best reference is:

X Window System Protocol
X Version 11, Release 6.4
Robert W. Scheifler
---Nico---^^

---Ran---vv
It turns out that the X11 cookie security has significant issues.

A good reference for folks here to read might be:
        Wietse Venema, "Murphy's Law and Computer Security", Proceedings
        of 6th USENIX Security Symposium, San Jose, CA, July 1996.

It is likely that the above paper can be downloaded from USENIX,
http://www.usenix.org.  I don't know the correct URL for that
paper, so one would have to browse to find it.

Also, if we reach back to 1997, there were other issues identified:
        http://lists.insecure.org/lists/bugtraq/1997/Sep/0062.html

I'm not comfortable with the current text on X11, though I'm
only one person...
---Ran---^^

Follow-Ups:
- Re: New Proposal for Section 11.3.3 X11 Forwarding
  - From: Nicolas Williams

References:
- Re: draft-ietf-secsh-dns-04 comments
  - From: Pekka Savola

Prev by Date: Re: sftp rename not good.
Next by Date: New Proposal for Section 11.2.3 Local Security Policy
Previous by Thread: Re: draft-ietf-secsh-dns-04 comments
Next by Thread: Re: New Proposal for Section 11.3.3 X11 Forwarding
Indexes:

Home | Main Index | Thread Index | Old Index