Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH brute force blocking tool

From: Tavis Ormandy <taviso () gentoo org>
Date: Mon, 27 Nov 2006 22:04:49 +0000
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote:

No it can't. Even if it was rm -rf someone placed in, did you not notice 
my grep statement? Only print items with a decimal. At no given point 
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would 
there be an option for someone to craft anything...


J, I realise this is a difficult issue to grasp, but stick with it. 

Let's say that a ficticious log entry looks like this:

DATE ERROR USERNAME ADDRESS PORT

And let's say you're trying to print column 4 to get the address.

Here's an example:

Monday INVALID foobar 123.123.123.123 1024

You print $4 and get 123.123.123.123, excellent. Now lets try logging in
as "foo bar".

Monday INVALID foo bar 123.123.123.123 1024

Whats in $4 now? That's right, attacker controlled data.


I'll give you addresses if you'd like to take a shot at it.


Sure, send them to the list, there are bound to be some takers.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: