I’ve read on several places (such as https://cyber.gouv.fr/sites/default/files/2014/01/NT_OpenSSH.pdf) that X11 forwarding is bad ( well it’s not what it’s written, but it’s what i remembered the first time i read this).

I initially thought it was a common sense recommendation intended to reduce the attack surface, but i was wrong and it occurs that a compromised and/or malicious ssh server can fully take control of the client.

One of the best ressource i’ve found about this is probably this document from SANS Institute (https://www.giac.org/paper/gcih/571/x11-forwarding-ssh-considered-harmful/104780).

It was published in 2004, twenty years ago, so it is really not nothing new !

Apparently, X11 uses a client/server model: Applications that want to display something ask the X11 server to do so.

Communication between client applications and X11 server is done through a Unix socket, and client have to authenticate themself using a value stored in the ~/.Xauthority file.

X11 forwarding allows the ssh client to launch graphics applications on the server.

In that situation, the remote application on the server interacts with the X11 server on the client via the ssh client.

This allow such an application to display its graphics context on the client, but also to perform less legitimate action, such as take a screenshot of the client:

Or, even worse, log its keystroke:

This attack worked on Ubuntu 16.04 (and earlier), where ssh version is 7.2p2.

I performed some test on the ssh client to check which version is vulnerable.

It occurs that ssh client 7.2p2 obtained via source compilation is not vulnerable, unless -Y (« trusted X11 forwarding ») option is used instead of -X option.

The same behaviour occurs when compiling ssh client 7.6p2 and 8.6p2.

This behaviour is not observed on ubuntu 18.04 and later. I suppose that some refactoring was made in X11 ?