lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <456B5EE2.5080605@infiltrated.net>
Date: Mon, 27 Nov 2006 16:55:46 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: "J. Oquendo" <sil@...iltrated.net>, Tavis Ormandy <taviso@...too.org>, 
	full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH brute force blocking tool

gabriel rosenkoetter wrote:
> You are dealing with output you can't trust there. $13 could be
> anything, including "\n`rm -rf /`". Later on, you pass $13,
> unstripped of newlines, backticks, or any number of other special
> character to a shell running as uid 0. That shell will proceed to
> execute whatever we would like it to, where "we" are "the remote
> attacker who doesn't even have an account".
>
>   
No it can't. Even if it was rm -rf someone placed in, did you not notice 
my grep statement? Only print items with a decimal. At no given point 
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would 
there be an option for someone to craft anything...

FreeBSD
-bash2-2.05b$ uname -a
FreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: 
Thu May 11 01:34:54 CDT 2006     
sil@...graced.org:/usr/obj/usr/src/sys/ETHOS  i386
-bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru
57354
57340
57335
56253
55125
49211
40334
37188
3508
33875
33635
33454
32798
3137
2895
2638
2408
2301
2114
-

OpenBSD
# uname -a
OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386
# awk '{print $13}' /var/log/authlog|grep "\."|sort -ru
63.243.158.221
61.129.85.230
220.132.113.163
219.149.211.49
213.195.75.41
206.210.96.56

> I don't believe the suggestion was ever that you had malicious
> intent, but rather that you have very horrible coding security
> habits.
>
>   
This should have been stated to the list as opposed to "You're 
backdooring people"

> I'm disinclined to sort out which of your machines I can get root on
> right now because you are running this script, but I would expect
> that someone reading this mailing list is already on the way and
> would strongly advise that you disable those cron jobs.
>   
I'll give you addresses if you'd like to take a shot at it.


-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ