Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Dec 2013 19:51:29 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Re: [SECURITY] [DSA 2826-1] denyhosts security update

On Sun, Dec 22, 2013 at 07:26:15PM +0100, Yves-Alexis Perez wrote:
> Helmut Grohne discovered that denyhosts, a tool preventing SSH
> brute-force attacks, could be used to perform remote denial of service
> against the SSH daemon. Incorrectly specified regular expressions used
> to detect brute force attacks in authentication logs could be exploited
> by a malicious user to forge crafted login names in order to make
> denyhosts ban arbitrary IP addresses.

A bit of background on this issue:

I discovered the issue on the 19th of December ant contacted:
 * Debian security team
 * Maintainer of the Debian package: Kyle Willmon
 * Upstream: Phil Schwartz

Example exploit:

ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21

This causes a log line of the form

sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth]

and results in both IP addresses being blocked.

CVE-2013-6890 was assigned from the Debian pool.

The proposed solution is to tighten up the regular expressions for
matching log file entries. Specifically including the $ pattern to match
the end of log lines. For your convenience I attach the final patch.

The Debian security advisory is the initial public disclosure.

I am not aware of any upstream response to this issue and the last
denyhosts release is from 2008.

Helmut

View attachment "13_CVE-2013-6890.patch" of type "text/x-diff" (3566 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.