Menu
▾
▴
Re: [Sshguard-users] [bug] sshguard vulnerable to log injection
|
From: Mij <mi...@bi...> - 2009-08-18 08:48:23
|
Hello, Please check out HEAD, this was fixed somewhere not long ago. In this specific case, however, all you are risking is some log pollution. On Aug 12, 2009, at 22:08 , Mr. Mystify wrote: > Hi, > > when testing if command injection is possible with that failure > (something like 'ssh "<USER>; touch 0wned"@<SERVER>') using sshguard > 1.1 > I recognized that including the ',' symbol into username breaks proper > detection of failed logins. > > ################## > # Test command > ################## > root@router-bl:~# ssh "test; touch 0wned"@server > test; touch 0w...@sr...'s password: > Permission denied, please try again. > test; touch 0w...@sr...'s password: > Permission denied, please try again. > test; touch 0w...@sr...'s password: > Permission denied (publickey,password). > root@router-bl:~# > > > ################## > # /var/log/messages > ################## > Aug 12 21:56:31 srv01 sshd[14820]: Invalid user test; touch 0wned > from 91.49.124.232 > Aug 12 21:56:31 srv01 sshd[14820]: Failed none for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:32 srv01 sshd[14820]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:43 srv01 sshd[14822]: Invalid user test; touch 0wned > from 91.49.124.232 > Aug 12 21:56:43 srv01 sshd[14822]: Failed none for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:44 srv01 sshd[14822]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:54 srv01 sshd[14824]: Invalid user test; touch 0wned > from 91.49.124.232 > Aug 12 21:56:54 srv01 sshd[14824]: Failed none for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > Aug 12 21:57:15 srv01 sshd[14824]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > Aug 12 21:57:16 srv01 sshd[14824]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > Aug 12 21:57:17 srv01 sshd[14824]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > > > But iptables sshguard chain remains empty: > ################## > # iptables chain > ##################/var/log$ sudo iptables -L sshguard -nv > Chain sshguard (1 references) > pkts bytes target prot opt in out source > destination |
