
Got SSH? And we got exploit – OpenSSH xauth injection - vulnersTeam
https://twitter.com/VulnersCom/status/710356647462506496
======
77pt77
[https://vulners.com/exploitdb/EDB-
ID:39569](https://vulners.com/exploitdb/EDB-ID:39569)

> By injecting xauth commands one gains limited* read/write arbitrary files,
> information leakage or xauth-connect capabilities. These capabilities can be
> leveraged by an authenticated restricted user - e.g. one with the login
> shellconfigured as /bin/false or one with configured forced-commands - to
> bypass account restriction. This is generally not expected.

> The injected xauth commands are performed with the effective permissions of
> the logged in user as the sshd already dropped its privileges.

So basically setting the shell to /bin/false or something like that can be
bypassed.

Just block users in sshd_config

~~~
vulnersTeam
Quick-Info:

* requires: X11Forwarding yes

\----> Mitigation - disable X11Forwarding?))

~~~
77pt77
I actually think just disabling login is better.

People that set the shell to /bin/false or nologin are asking for trouble
IMHO.

