Full Disclosure mailing list archives
Re: SSH brute force blocking tool
From: gabriel rosenkoetter <gr () eclipsed net>
Date: Mon, 27 Nov 2006 16:40:31 -0500
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
So for the third time now. Explain to me how I am backdooring someone's system. [root@localhost include]# uname -a Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 i686 i386 GNU/Linux [root@localhost include]# awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru 222.171.20.252 211.137.74.58 My logs parse out addresses not named and there is no redirection going on. If you want to say "Hey... It should be written as such" then gladly do so.
You are dealing with output you can't trust there. $13 could be anything, including "\n`rm -rf /`". Later on, you pass $13, unstripped of newlines, backticks, or any number of other special character to a shell running as uid 0. That shell will proceed to execute whatever we would like it to, where "we" are "the remote attacker who doesn't even have an account". I don't believe the suggestion was ever that you had malicious intent, but rather that you have very horrible coding security habits. I'm disinclined to sort out which of your machines I can get root on right now because you are running this script, but I would expect that someone reading this mailing list is already on the way and would strongly advise that you disable those cron jobs. -- gabriel rosenkoetter gr () eclipsed net
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool J. Oquendo (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool Tavis Ormandy (Nov 27)
- Re: SSH brute force blocking tool gabriel rosenkoetter (Nov 27)
- Re: SSH brute force blocking tool Michael Holstein (Nov 27)
- Re: SSH brute force blocking tool Joshua D. Abraham (Nov 27)