Re: SSH brute force blocking tool

[Tavis Ormandy <taviso () gentoo org>]

On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
> So again dumbass...
>
> Look at the script. Although YOU'RE opening /var/log/authlog what is the 
> script opening. 

I'm opening authlog as I dont use secure, the same thing applies.

> Please tell me you're really not that stupid. And if 
> someone else decided to modify this script, what does that have to do 
> with what I posted. How exactly is my script a backdoor as you claim. 

It's a backdoor because your script doesnt account for out-of-order log
entries, usernames or other data containing spaces thus making your
field count incorrect, or other daemons using the string `error
retrieving` in their log entries.

The insecure temporary file creation allows a local user to add entries
to the passwd file (for example), or create or modify any file as root.
Although it doesnt directly allow them to control the data the fileis
created with, combined with the other flaw this is possible. Even
without the other flaw, the existence of some files is a problem, such
as /etc/.nologin.

the test -e and rm is insufficient, firstly as it's a race condition,
and secondly as test -e will return 1 on broken (sometimes called
dangling) symlinks.

> Enquiring minds want to know this since you claim its a backdoor. Please 
> tell me outside of your modification how this is going to backdoor someone.

I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/