Full Disclosure mailing list archives
Re: SSH brute force blocking tool
From: gabriel rosenkoetter <gr () eclipsed net>
Date: Mon, 27 Nov 2006 16:21:19 -0500
On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
Uh... actually, no. The provided exploit Will work, and you're the idiot.
Begging your pardon, you are saved by single-quoting your awk(1) statement:
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >> /tmp/hosts.deny
[...]
What will be in column 13 when Tavis does this:Tavis Ormandy wrote:ssh 'foo bar `/sbin/halt`'@victim
[...]
Why, the shelled-out output of `/sbin/halt`!
Nope, I'm wrong, just the literal string "`/sbin/halt`", which you never exec. Mea culpa. Tavis's exploit doesn't so scary things, although he's right you should really be doing a bit more sanitization of (evil) user-supplied input, given that you're (insisting that you) run as root. On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
Look at the script. Although YOU'RE opening /var/log/authlog what is the script opening. Please tell me you're really not that stupid.
Actually, your BSD version DOES open /var/log/authlog (which will fail on FreeBSD, btw, where it's /var/log/auth.log), so you should probably stop casting stones and quit while you're ahead with my explanation above of why Tavis's exploit is a non-starter. But since we're on the topic... wouldn't it be a better plan to check the local syslog.conf for the location of the auth failure log messages rather than hard code it? -- gabriel rosenkoetter gr () eclipsed net
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SSH brute force blocking tool, (continued)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool Michael Holstein (Nov 27)
- Re: SSH brute force blocking tool Joshua D. Abraham (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Michael Holstein (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tonnerre Lombard (Nov 28)