Menu
▾
▴
Re: [Sshguard-users] [bug] sshguard vulnerable to log injection
|
From: Mr. M. <che...@gm...> - 2009-08-12 20:09:15
|
Hi, when testing if command injection is possible with that failure (something like 'ssh "<USER>; touch 0wned"@<SERVER>') using sshguard 1.1 I recognized that including the ',' symbol into username breaks proper detection of failed logins. ################## # Test command ################## root@router-bl:~# ssh "test; touch 0wned"@server test; touch 0w...@sr...'s password: Permission denied, please try again. test; touch 0w...@sr...'s password: Permission denied, please try again. test; touch 0w...@sr...'s password: Permission denied (publickey,password). root@router-bl:~# ################## # /var/log/messages ################## Aug 12 21:56:31 srv01 sshd[14820]: Invalid user test; touch 0wned from 91.49.124.232 Aug 12 21:56:31 srv01 sshd[14820]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:32 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:43 srv01 sshd[14822]: Invalid user test; touch 0wned from 91.49.124.232 Aug 12 21:56:43 srv01 sshd[14822]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:44 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:54 srv01 sshd[14824]: Invalid user test; touch 0wned from 91.49.124.232 Aug 12 21:56:54 srv01 sshd[14824]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 Aug 12 21:57:15 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 Aug 12 21:57:16 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 Aug 12 21:57:17 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 But iptables sshguard chain remains empty: ################## # iptables chain ##################/var/log$ sudo iptables -L sshguard -nv Chain sshguard (1 references) pkts bytes target prot opt in out source destination Regards, Mystify On Tue, 2009-08-04 at 16:17 +0200, Mij wrote: > Hello Jochem, > > what SSHGuard version are you using? > > > On Aug 2, 2009, at 22:06 , Jochem Oosterveen wrote: > > > Hi there, > > > > I would like to submit a bug report. > > > > jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl > > Password: > > Password: > > Password: > > Permission denied (publickey,keyboard-interactive). > > jochem@office:~$ > > > > Aug 2 21:57:59 melon sshd[11103]: Invalid user test from > > 123.123.123.123 from 217.149.194.146 > > Aug 2 21:57:59 melon sshd[11103]: error: PAM: authentication error > > for illegal user test from 123.123.123.123 from office.aivd.net > > Aug 2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for > > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > > ssh2 > > Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error > > for illegal user test from 123.123.123.123 from office.aivd.net > > Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for > > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > > ssh2 > > Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error > > for illegal user test from 123.123.123.123 from office.aivd.net > > Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for > > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > > ssh2 > > Aug 2 21:58:01 melon sshd[11108]: Invalid user test from > > 123.123.123.123 from 217.149.194.146 > > Aug 2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4 > > failures over 8 seconds. > > > > melon# pfctl -t sshguard -T show > > No ALTQ support in kernel > > ALTQ related functions disabled > > 123.123.123.123 > > melon# > > > > Obviously, sshguard is blocking the wrong IP. > > > > Kind regards, > > Jochem Oosterveen > > > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > > 30-Day > > trial. Simplify your report design, integration and deployment - and > > focus on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
