Re: [Full-disclosure] SSH brute force blocking tool
- From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
- Date: Mon, 27 Nov 2006 16:55:46 -0500
gabriel rosenkoetter wrote:
You are dealing with output you can't trust there. $13 could beNo it can't. Even if it was rm -rf someone placed in, did you not notice my grep statement? Only print items with a decimal. At no given point anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would there be an option for someone to craft anything...
anything, including "\n`rm -rf /`". Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute whatever we would like it to, where "we" are "the remote
attacker who doesn't even have an account".
FreeBSD
-bash2-2.05b$ uname -a
FreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu May 11 01:34:54 CDT 2006 sil@xxxxxxxxxxxxx:/usr/obj/usr/src/sys/ETHOS i386
-bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru
57354
57340
57335
56253
55125
49211
40334
37188
3508
33875
33635
33454
32798
3137
2895
2638
2408
2301
2114
-
OpenBSD
# uname -a
OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386
# awk '{print $13}' /var/log/authlog|grep "\."|sort -ru
63.243.158.221
61.129.85.230
220.132.113.163
219.149.211.49
213.195.75.41
206.210.96.56
I don't believe the suggestion was ever that you had maliciousThis should have been stated to the list as opposed to "You're backdooring people"
intent, but rather that you have very horrible coding security
habits.
I'm disinclined to sort out which of your machines I can get root onI'll give you addresses if you'd like to take a shot at it.
right now because you are running this script, but I would expect
that someone reading this mailing list is already on the way and
would strongly advise that you disable those cron jobs.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Re: [Full-disclosure] SSH brute force blocking tool
- From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
- References:
- [Full-disclosure] SSH brute force blocking tool
- From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
- From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
- From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
- From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
- From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
- From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
- From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
- From: gabriel rosenkoetter
- [Full-disclosure] SSH brute force blocking tool
- Prev by Date: Re: [Full-disclosure] SSH brute force blocking tool
- Next by Date: Re: [Full-disclosure] SSH brute force blocking tool
- Previous by thread: Re: [Full-disclosure] SSH brute force blocking tool
- Next by thread: Re: [Full-disclosure] SSH brute force blocking tool
- Index(es):
