lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 7 Feb 2006 09:47:24 +1100 (EST)
From: Damien Miller <djm@...drot.org>
To: innate@....de
Cc: bugtraq@...urityfocus.com
Subject: Re: cleartext passwords get into log files


On Fri, 3 Feb 2006, innate@....de wrote:

> the cleartext password came into the log file because someone 
> has been out of concentration and entered the password instead of
> the username in some client for connecting to a ssh server. 

Seeing what accounts people are trying to log into is also important.
I'm sure that most administrators would be interested in seeing, for
example, login attempts on a deleted ex-staff member's account. 

> another problem might be cause by showing the illegal username for
> the login and even if this is caused by another lame written software
> the problem is real (remind human unperfection):
> 
> the username could contain characters that might be interpreted wrong
> from other software. example from log file (caused by sshd again):
> 
> Feb  2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ...
> 
> just note the characters:
> 	<> 	XXS, html injeciton?
> 	';()    SQL injection?
> 	';	shell commands?

OpenSSH tries to be idiot proof against stupid syslogds by stripping 
control characters from log strings, but you can always invent a 
bigger (hypothetical) idiot.

If your log processing software is so fundamentally broken that it
passes unmodified data to shells, SQL servers or HTML then nothing is
going save you - you will need to ensure that every piece of software
that logs can never be cajoled into writing something that could be 
misinterpreted.

> prevention:
> illegal users dont need to be shown in the log files. most servers
> only print a "UNKNOWN USER" in their log file and in my opinion this 
> makes a lot of sense.

This destroys useful information and lessens the evidentary value of 
the log file. A better prevention:

chmod 0600 /var/log/authlog

(assuming it isn't already).

-d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ