Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:Mea culpa. Tavis's exploit doesn't so scary things, although he's right you should really be doing a bit more sanitization of (evil) user-supplied input, given that you're (insisting that you) run as root.Gabriel, I was referring to this line: awk '!/#/ && /\./ && !a[$0]++ {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT"}' /etc/hosts.deny |\ awk '/iptables/ && !/#/ && !/-s -i/'|sh (note the |sh), $1 can be controlled by specially crafted attempted logins. Thanks, Tavis.
That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address?
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/