On 01/08/19 16:46, Daniel Jakots wrote:
On Tue, 8 Jan 2019 16:07:43 -0800, Misc User
<[email protected]> wrote:
Doing some work on it the other day, I noticed it opens a pretty big
command injection hole if pfctl doesn't kill the connection before
the connecting source gets a chance to send data. An attacker could
connect to the port and send the string "Ncat: Connection from
172.16.11.152.\ && <do things>" and whatever it uses for <do things>
will be done by a privileged account (At least one with permissions
to add entries to pf's tables)
I tested it using a telnet client connecting to one of the arbitrary
ports I set up. So I've been trying to figure out a better way to do
this. There has to be, maybe something with tcpdump.
I'm looking into patching ncat to have a flag where the -v option
doesn't output packet content, and only outputs packet metadata.
Probably also clean up what it outputs to produce a 'honeypot' mode
or something friendly to chaining to a firewall control program.
I'm truly amazed that you just realized you enabled people to run code
on your machine with a privileged user, and instead of dropping the
gun, you're like "maybe if I hold it with two hands, I won't shoot
myself in the foot again".
People say "don't roll your own crypto" but it seems it applies to
honeypot software too.
I must say this thread has turned into a pretty apt example of the
Dunning-Kruger effect...
