[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.64.0602070921550.11095@fuyu.mindrot.org>
Date: Tue, 7 Feb 2006 09:47:24 +1100 (EST)
From: Damien Miller <djm@...drot.org>
To: innate@....de
Cc: bugtraq@...urityfocus.com
Subject: Re: cleartext passwords get into log files
On Fri, 3 Feb 2006, innate@....de wrote:
> the cleartext password came into the log file because someone
> has been out of concentration and entered the password instead of
> the username in some client for connecting to a ssh server.
Seeing what accounts people are trying to log into is also important.
I'm sure that most administrators would be interested in seeing, for
example, login attempts on a deleted ex-staff member's account.
> another problem might be cause by showing the illegal username for
> the login and even if this is caused by another lame written software
> the problem is real (remind human unperfection):
>
> the username could contain characters that might be interpreted wrong
> from other software. example from log file (caused by sshd again):
>
> Feb 2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ...
>
> just note the characters:
> <> XXS, html injeciton?
> ';() SQL injection?
> '; shell commands?
OpenSSH tries to be idiot proof against stupid syslogds by stripping
control characters from log strings, but you can always invent a
bigger (hypothetical) idiot.
If your log processing software is so fundamentally broken that it
passes unmodified data to shells, SQL servers or HTML then nothing is
going save you - you will need to ensure that every piece of software
that logs can never be cajoled into writing something that could be
misinterpreted.
> prevention:
> illegal users dont need to be shown in the log files. most servers
> only print a "UNKNOWN USER" in their log file and in my opinion this
> makes a lot of sense.
This destroys useful information and lessens the evidentary value of
the log file. A better prevention:
chmod 0600 /var/log/authlog
(assuming it isn't already).
-d
Powered by blists - more mailing lists