lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20061127212119.GB1341@uriel.eclipsed.net>
Date: Mon, 27 Nov 2006 16:21:19 -0500
From: gabriel rosenkoetter <gr@...ipsed.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: SSH brute force blocking tool

On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
> Uh... actually, no. The provided exploit Will work, and you're the
> idiot.

Begging your pardon, you are saved by single-quoting your awk(1)
statement:

> > awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >> 
> > /tmp/hosts.deny
[...]
> What will be in column 13 when Tavis does this:
> 
> > Tavis Ormandy wrote:
> > >ssh 'foo bar `/sbin/halt`'@...tim
[...]
> Why, the shelled-out output of `/sbin/halt`!

Nope, I'm wrong, just the literal string "`/sbin/halt`", which you
never exec.

Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.

On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
> Look at the script. Although YOU'RE opening /var/log/authlog what is the 
> script opening. Please tell me you're really not that stupid.

Actually, your BSD version DOES open /var/log/authlog (which will
fail on FreeBSD, btw, where it's /var/log/auth.log), so you should
probably stop casting stones and quit while you're ahead with my
explanation above of why Tavis's exploit is a non-starter.

But since we're on the topic... wouldn't it be a better plan to
check the local syslog.conf for the location of the auth failure
log messages rather than hard code it?

-- 
gabriel rosenkoetter
gr@...ipsed.net

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ