On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
> Uh... actually, no. The provided exploit Will work, and you're the
> idiot.
Begging your pardon, you are saved by single-quoting your awk(1)
statement:
> > awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >>
> > /tmp/hosts.deny
[...]
> What will be in column 13 when Tavis does this:
>
> > Tavis Ormandy wrote:
> > >ssh 'foo bar `/sbin/halt`'@victim
[...]
> Why, the shelled-out output of `/sbin/halt`!
Nope, I'm wrong, just the literal string "`/sbin/halt`", which you
never exec.
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
> Look at the script. Although YOU'RE opening /var/log/authlog what is the
> script opening. Please tell me you're really not that stupid.
Actually, your BSD version DOES open /var/log/authlog (which will
fail on FreeBSD, btw, where it's /var/log/auth.log), so you should
probably stop casting stones and quit while you're ahead with my
explanation above of why Tavis's exploit is a non-starter.
But since we're on the topic... wouldn't it be a better plan to
check the local syslog.conf for the location of the auth failure
log messages rather than hard code it?
--
gabriel rosenkoetter
gr@xxxxxxxxxxxx
Attachment:
pgph4AaVpOiWw.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/