| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20061127220449.GE9959@sdf.lonestar.org>
Date: Mon, 27 Nov 2006 22:04:49 +0000
From: Tavis Ormandy <taviso@...too.org>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote:
> No it can't. Even if it was rm -rf someone placed in, did you not notice
> my grep statement? Only print items with a decimal. At no given point
> anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
> there be an option for someone to craft anything...
J, I realise this is a difficult issue to grasp, but stick with it.
Let's say that a ficticious log entry looks like this:
DATE ERROR USERNAME ADDRESS PORT
And let's say you're trying to print column 4 to get the address.
Here's an example:
Monday INVALID foobar 123.123.123.123 1024
You print $4 and get 123.123.123.123, excellent. Now lets try logging in
as "foo bar".
Monday INVALID foo bar 123.123.123.123 1024
Whats in $4 now? That's right, attacker controlled data.
> I'll give you addresses if you'd like to take a shot at it.
Sure, send them to the list, there are bound to be some takers.
Thanks, Tavis.
--
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists