| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Nov 2006 16:55:46 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: "J. Oquendo" <sil@...iltrated.net>, Tavis Ormandy <taviso@...too.org>,
full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH brute force blocking tool
gabriel rosenkoetter wrote:
> You are dealing with output you can't trust there. $13 could be
> anything, including "\n`rm -rf /`". Later on, you pass $13,
> unstripped of newlines, backticks, or any number of other special
> character to a shell running as uid 0. That shell will proceed to
> execute whatever we would like it to, where "we" are "the remote
> attacker who doesn't even have an account".
>
>
No it can't. Even if it was rm -rf someone placed in, did you not notice
my grep statement? Only print items with a decimal. At no given point
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
there be an option for someone to craft anything...
FreeBSD
-bash2-2.05b$ uname -a
FreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1:
Thu May 11 01:34:54 CDT 2006
sil@...graced.org:/usr/obj/usr/src/sys/ETHOS i386
-bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru
57354
57340
57335
56253
55125
49211
40334
37188
3508
33875
33635
33454
32798
3137
2895
2638
2408
2301
2114
-
OpenBSD
# uname -a
OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386
# awk '{print $13}' /var/log/authlog|grep "\."|sort -ru
63.243.158.221
61.129.85.230
220.132.113.163
219.149.211.49
213.195.75.41
206.210.96.56
> I don't believe the suggestion was ever that you had malicious
> intent, but rather that you have very horrible coding security
> habits.
>
>
This should have been stated to the list as opposed to "You're
backdooring people"
> I'm disinclined to sort out which of your machines I can get root on
> right now because you are running this script, but I would expect
> that someone reading this mailing list is already on the way and
> would strongly advise that you disable those cron jobs.
>
I'll give you addresses if you'd like to take a shot at it.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists