On Tue, 8 Jan 2019 16:07:43 -0800, Misc User <open...@leviathanresearch.net> wrote:
> Doing some work on it the other day, I noticed it opens a pretty big > command injection hole if pfctl doesn't kill the connection before > the connecting source gets a chance to send data. An attacker could > connect to the port and send the string "Ncat: Connection from > 172.16.11.152.\ && <do things>" and whatever it uses for <do things> > will be done by a privileged account (At least one with permissions > to add entries to pf's tables) > > I tested it using a telnet client connecting to one of the arbitrary > ports I set up. So I've been trying to figure out a better way to do > this. There has to be, maybe something with tcpdump. > > I'm looking into patching ncat to have a flag where the -v option > doesn't output packet content, and only outputs packet metadata. > Probably also clean up what it outputs to produce a 'honeypot' mode > or something friendly to chaining to a firewall control program. I'm truly amazed that you just realized you enabled people to run code on your machine with a privileged user, and instead of dropping the gun, you're like "maybe if I hold it with two hands, I won't shoot myself in the foot again". People say "don't roll your own crypto" but it seems it applies to honeypot software too.