OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] SSH brute force blocking tool

From: Tavis Ormandy (tavisogentoo.org)
Date: Mon Nov 27 2006 - 16:04:49 CST


On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote:
> No it can't. Even if it was rm -rf someone placed in, did you not notice
> my grep statement? Only print items with a decimal. At no given point
> anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
> there be an option for someone to craft anything...

J, I realise this is a difficult issue to grasp, but stick with it.

Let's say that a ficticious log entry looks like this:

DATE ERROR USERNAME ADDRESS PORT

And let's say you're trying to print column 4 to get the address.

Here's an example:

Monday INVALID foobar 123.123.123.123 1024

You print $4 and get 123.123.123.123, excellent. Now lets try logging in
as "foo bar".

Monday INVALID foo bar 123.123.123.123 1024

Whats in $4 now? That's right, attacker controlled data.

> I'll give you addresses if you'd like to take a shot at it.

Sure, send them to the list, there are bound to be some takers.

Thanks, Tavis.

--
-------------------------------------
tavisosdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Comment: finger me for my pgp key

iQBVAwUBRWthAdommWwmkP1xAQE2qgH/eVbVspKiZnsjC27M7YeTudTa5XAOj4Gl
sKmn20wa/o8+9e2L1MeXetlnuMpJ/vHexypz6wARx6SlP85fkjG6EQ==
=aD5q
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/