lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Jun 2007 17:15:29 -0300
From: "Daniel Cid" <daniel.cid@...il.com>
To: bugtraq@...urityfocus.com
Subject: Remote log injection on DenyHosts, Fail2ban and BlockHosts

Hi List,

DenyHosts, Fail2ban and BlockHosts are vulnerable to remote log injection
that can lead to arbitrarily injection of IP addresses in /etc/hosts.deny. To
make it more "interesting", not only IP addresses can be added, but
also the wild card "all", causing it to block the whole Internet out of the
box (bypassing white lists) -- see DenyHosts exploit example.

The following paper discuss these issues and contain the available
patches for them:

http://www.ossec.net/en/attacking-loganalysis.html


Snippet from the article:
"
The purpose of this article is to point out some vulnerabilities that
I found on open source log analysis tools aimed to stop brute force
scans against SSH  and ftp services. Since these tools also perform
active response (automatically blocking the offending IP address),
they would be good examples. However, any tool that parse logs can be
equally vulnerable.

We will show three 0-day denial-of-service attacks caused by remote
log injection on BlockHosts, DenyHosts and fail2ban.

This paper talks about remote log injection, where an external
attacker can modify a log, based on the input it provides to an
application (in our case OpenSSH and vsftpd). By modifying the way the
application logs, we are able to attack these log analysis tools. We
are not talking about local log modification or "syslog injection".
"


Links to these tools:
http://denyhosts.sourceforge.net/
http://www.aczoom.com/cms/blockhosts
http://www.fail2ban.org


Link to the article:
http://www.ossec.net/en/attacking-loganalysis.html

Available patches:
http://www.ossec.net/en/attacking-loganalysis.html#patches


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Powered by blists - more mailing lists