[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060203115355.23384.qmail@securityfocus.com>
Date: 3 Feb 2006 11:53:55 -0000
From: innate@....de
To: bugtraq@...urityfocus.com
Subject: cleartext passwords get into log files
author: l0om
page: www.excluded.org
date: 03.02.2006
cleartext passwords get into log files
(this was first noted from a sshd [SSH-1.99-OpenSSH_3.7.1p2])
once on a linux box i have noticed cleartext passwords in the
"/var/log/messages" logfile. how this happens and how to prevent
is the aim of this mail because it might be possible to find such
things in other log files as well.
from computer security we know one fact for sure:
never rely on the human concentration and perfection!
the cleartext password came into the log file because someone
has been out of concentration and entered the password instead of
the username in some client for connecting to a ssh server.
badass@...host:~> grep "illegal user" messages.bak | grep input
Dec xx 10:10:18 hostname sshd[7793]: input_userauth_request: illegal user <clear-text-root-password>
Jan xx 15:31:01 hostname sshd[12328]: input_userauth_request: illegal user <dunno for sure>
Feb xx 09:29:44 hostname sshd[7318]: input_userauth_request: illegal user <a user who is not on this system but on others>
Feb xx 03:57:28 hostname sshd[14841]: input_userauth_request: illegal user <ssh brute force + n>
[...]
the problem has been constructed with:
- human unperfection
- software which fergot about human unperfection
as most servers need a valid username and a vaild password this problem
can be found in different log files with different access permissions.
another problem might be cause by showing the illegal username for
the login and even if this is caused by another lame written software
the problem is real (remind human unperfection):
the username could contain characters that might be interpreted wrong
from other software. example from log file (caused by sshd again):
Feb 2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ...
just note the characters:
<> XXS, html injeciton?
';() SQL injection?
'; shell commands?
just keep in mind that this behavior can be also found in other
applications. so why not prevent it?!
prevention:
illegal users dont need to be shown in the log files. most servers
only print a "UNKNOWN USER" in their log file and in my opinion this
makes a lot of sense.
thanks for your time and always keep watching your log files! ;)
l0om - http://www.excluded.org
greets to detach, murfie, theldens, maximilian, johnny, Dr.Dohmen,
mattball, molke
Powered by blists - more mailing lists