Date: Tue, 28 Nov 2006 12:29:31 -0600
From: <daylasoul@...h.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: SSH brute force blocking tool

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 28 Nov 2006 10:59:43 -0600 "J. Oquendo"
<sil@...iltrated.net> wrote:
>Tavis Ormandy wrote:
>> On Tue, Nov 28, 2006 at 04:02:36PM +0000, Tavis Ormandy wrote:
>> I notice you also havnt solved the local privilege escalation,
>this can
>> be abused by local users to gain root by attempting to login
>with the
>> username set to a valid passwd entry and then winning the race
>condition
>> by creating a symlink to the system passwd file (of course,
>there are
>> dozens of other attacks).
>>
>> Thanks, Tavis.
>
>And just what on God's earth does "SOMEONE LOGGING IN WITH
>USERNAME SET
>TO A VALID PASSWORD ENTRY" have to do with this script. Let me
>take my
>script out of the equation for a minute. "SOMEONE LOGS IN WITH A
>USERNAME SET TO A VALID PASSWORD ENTRY" don't you think this is a
>problem with the system they're on? Please explain to me how
>because I'm
>seriously curious to know how you envision this happening with
>this
>script of mine.
>
>Nov 27 16:31:21 local sshd[67010]: Illegal user dd from
>213.134.128.227
>awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}'
>
>Would stop the insertion attack and only print out the tench field
>if
>fields 5, 6 and 9 match Illegal user from.
>
>So that would pretty much minimize the attack on name insertion.
>If I
>wanted to I could also make sure that if someone came after field
>10,
>then ignore the entire line:
>Nov 27 16:31:21 local sshd[67010]: Illegal user dd from
>213.134.128.227
>
>But before you shoot back let me send your response for you:
>
>Tavis Ormandy will write:
>>  "Someone could log in using: "Illegal User foo from
>$OWNIPADDRESS"@host which would make an entry:
>>  Nov 27 16:31:21 local sshd[67010]: Illegal user  dd from
>Illegal User
>foo from $OWNIPADDRESS 213.134.128.227"
>
>SO let me restate. I could modify it to look at lines 5, 6, and 9
>...
>Take a look at the tenth column and if anything comes after
>that...Ignore that entire line... Should I have done so, maybe...
>Will I
>do so... Maybe...
>
>But wait there's more... Before you respond back Tavis, I will do
>so for
>you:
>
>Tavis Ormandy will write:
> > "Someone could cause a race condition in awk that will allow
>peanut
>butter to seep into my colo"
>
>Sorry can't help you there.
>
>As to a fix to someone injecting ranDumb addresses. That same awk
>statement above will work but if they're doing some netcat voodoo,
>then
>feel free to shoot off another email on how my script broke TCP/IP
>entirely.
>
>
>
>--
>====================================================
>J. Oquendo
>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>sil . infiltrated @ net http://www.infiltrated.net
>
>The happiness of society is the end of government.
>John Adams
please take disagreements off list and make sure quoting does not
exceed that which is necessary to convey context.  Thanks.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkVsgAsACgkQ3AEcWsxdEQ4qeQP+M4H5IfprYdHqysEMl9frCqXsfh9T
3z8XL6MD44oBRr657t3ren6Dl/mhUxuWsIJ2dIApxSJYK51J8RShFL+KuW/7VKnUqZEQ
ln93svmpEt3A1hsB8/TPsJePKSP5avRUh9X5WxfxZRmi5WVM3uOcpDr1//EsgnUd7tyI
dvwNGRY=
=TtP4
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists