|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] SSH brute force blocking tool
From: Tavis Ormandy (taviso
gentoo.org)
Date: Mon Nov 27 2006 - 16:04:49 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote:
> No it can't. Even if it was rm -rf someone placed in, did you not notice
> my grep statement? Only print items with a decimal. At no given point
> anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
> there be an option for someone to craft anything...
J, I realise this is a difficult issue to grasp, but stick with it.
Let's say that a ficticious log entry looks like this:
DATE ERROR USERNAME ADDRESS PORT
And let's say you're trying to print column 4 to get the address.
Here's an example:
Monday INVALID foobar 123.123.123.123 1024
You print $4 and get 123.123.123.123, excellent. Now lets try logging in
as "foo bar".
Monday INVALID foo bar 123.123.123.123 1024
Whats in $4 now? That's right, attacker controlled data.
> I'll give you addresses if you'd like to take a shot at it.
Sure, send them to the list, there are bound to be some takers.
Thanks, Tavis.
--
-------------------------------------
tavisosdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Comment: finger me for my pgp key
iQBVAwUBRWthAdommWwmkP1xAQE2qgH/eVbVspKiZnsjC27M7YeTudTa5XAOj4Gl
sKmn20wa/o8+9e2L1MeXetlnuMpJ/vHexypz6wARx6SlP85fkjG6EQ==
=aD5q
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]