On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Begging your pardon, you are saved by single-quoting your awk(1)
statement:
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >>
/tmp/hosts.deny
[...]
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
ssh 'foo bar `/sbin/halt`'@victim
[...]
Why, the shelled-out output of `/sbin/halt`!
Nope, I'm wrong, just the literal string "`/sbin/halt`", which you
never exec.
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening. Please tell me you're really not that stupid.
Actually, your BSD version DOES open /var/log/authlog (which will
fail on FreeBSD, btw, where it's /var/log/auth.log), so you should
probably stop casting stones and quit while you're ahead with my
explanation above of why Tavis's exploit is a non-starter.
But since we're on the topic... wouldn't it be a better plan to
check the local syslog.conf for the location of the auth failure
log messages rather than hard code it?
--
gabriel rosenkoetter
gr@eclipsed.net
pgphNc4Ub2d6t.pgp
Description: PGP signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
