{"id":107,"date":"2024-02-19T20:04:57","date_gmt":"2024-02-19T20:04:57","guid":{"rendered":"https:\/\/tolva.fr\/?p=107"},"modified":"2024-03-11T19:24:42","modified_gmt":"2024-03-11T19:24:42","slug":"whats-wrong-with-x11-forwarding","status":"publish","type":"post","link":"https:\/\/tolva.fr\/index.php\/2024\/02\/19\/whats-wrong-with-x11-forwarding\/","title":{"rendered":"What’s wrong with X11 forwarding ?"},"content":{"rendered":"\n

I’ve read on several places (such as https:\/\/cyber.gouv.fr\/sites\/default\/files\/2014\/01\/NT_OpenSSH.pdf<\/a>) that X11 forwarding is bad<\/em> ( well it’s not what it’s written, but it’s what i remembered the first time i read this).<\/p>\n\n\n\n

I initially thought it was a common sense recommendation intended to reduce the attack surface, but i was wrong and it occurs that a compromised and\/or malicious ssh server can fully take control of the client.<\/p>\n\n\n\n

One of the best ressource i’ve found about this is probably this document from SANS Institute (https:\/\/www.giac.org\/paper\/gcih\/571\/x11-forwarding-ssh-considered-harmful\/104780)<\/a>.<\/p>\n\n\n\n

It was published in 2004, twenty years ago, so it is really not nothing new !<\/p>\n\n\n\n

Apparently, X11 uses a client\/server model: Applications that want to display something ask the X11 server to do so.<\/p>\n\n\n\n

Communication between client applications and X11 server is done through a Unix socket, and client have to authenticate themself using a value stored in the ~\/.Xauthority<\/code> file.<\/p>\n\n\n\n

X11 forwarding allows the ssh client to launch graphics applications on the server.<\/p>\n\n\n\n

In that situation, the remote application on the server interacts with the X11 server on the client via the ssh client. <\/p>\n\n\n\n

This allow such an application to display its graphics context on the client, but also to perform less legitimate action, such as take a screenshot of the client:<\/p>\n\n\n\n