lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 27 Nov 2006 21:21:38 +0000
From: Tavis Ormandy <taviso@...too.org>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH brute force blocking tool

On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
> So again dumbass...
> 
> Look at the script. Although YOU'RE opening /var/log/authlog what is the 
> script opening. 

I'm opening authlog as I dont use secure, the same thing applies.

> Please tell me you're really not that stupid. And if 
> someone else decided to modify this script, what does that have to do 
> with what I posted. How exactly is my script a backdoor as you claim. 

It's a backdoor because your script doesnt account for out-of-order log
entries, usernames or other data containing spaces thus making your
field count incorrect, or other daemons using the string `error
retrieving` in their log entries.

The insecure temporary file creation allows a local user to add entries
to the passwd file (for example), or create or modify any file as root.
Although it doesnt directly allow them to control the data the fileis
created with, combined with the other flaw this is possible. Even
without the other flaw, the existence of some files is a problem, such
as /etc/.nologin.

the test -e and rm is insufficient, firstly as it's a race condition,
and secondly as test -e will return 1 on broken (sometimes called
dangling) symlinks.

> Enquiring minds want to know this since you claim its a backdoor. Please 
> tell me outside of your modification how this is going to backdoor someone.

I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ