Dan S wrote:
> Thank you for your reply, and an interesting point.
>
> I verified that an entry with backticks in the ipmon
> log file doesn't execute by echoing a line:
>
> 17/06/2005 09:16:42.519563 fxp0 @0:48 b 81.`touch
> /hi`.120.46,1364 -> 216.34.`touch /bye`.168,139 PR tcp
> len 20 48 -S 2163595220 0 65535 IN
You need the quote characters. Try
17/06/2005 09:16:42.519563 fxp0 @0:48 b 81."`touch /hi`".120.46,1364 ->
216.34.`touch /bye`.168,139 PR tcp len 20 48 -S 2163595220 0 65535 IN
Also, you'll need to have the email param set, obviously.
> Just to make sure, I'll include the -T switch with the
-T doesn't help since you're already untainting .*.
> interpreter, and add a line:
>
> $line_orig =~ s/\`//g; just after it reads in the
> line.
Backquotes are just one way to inject commands. Someone might use ||,
&&, ;, |, or a number of other techniques.
The correct way to form commands from untrusted input is to limit what
you accept, rather than try to eliminate what you don't accept. If
you're expecting an IP address, match it with
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.
> Sentrytools is an interesting project. The concept of
> th MOAN project is to provide a small base Perl
> script, rather than C, for people who want a port scan
> detection function, or to be able to easily branch off
> and write functions for other network events using
> Perl.
I don't want to dull your enthusiasm, but if you're going to write code
that runs on a firewall, you have to be very careful that you don't
weaken the firewall by introducing a vector for remote compromise. I
strongly suggest that you do some serious research on the basics of
secure coding before you release any more code.
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
