Re: [Full-disclosure] SSH brute force blocking tool

On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
So for the third time now. Explain to me how I am backdooring someone's
system.

[root@localhost include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[root@localhost include]# awk '/error retrieving/{getline;print $13}'
/var/log/secure|sort -ru
222.171.20.252
211.137.74.58

My logs parse out addresses not named and there is no redirection going
on. If you want to say "Hey... It should be written as such" then gladly
do so.

You are dealing with output you can't trust there. $13 could be
anything, including "\n`rm -rf /`". Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute whatever we would like it to, where "we" are "the remote
attacker who doesn't even have an account".

I don't believe the suggestion was ever that you had malicious
intent, but rather that you have very horrible coding security
habits.

I'm disinclined to sort out which of your machines I can get root on
right now because you are running this script, but I would expect
that someone reading this mailing list is already on the way and
would strongly advise that you disable those cron jobs.

--
gabriel rosenkoetter
gr@xxxxxxxxxxxx

Attachment: pgpRSVctz4nlg.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/