Date: Sun, 22 Dec 2013 19:51:29 +0100 From: Helmut Grohne <helmut@...divi.de> To: oss-security@...ts.openwall.com Subject: Re: [SECURITY] [DSA 2826-1] denyhosts security update On Sun, Dec 22, 2013 at 07:26:15PM +0100, Yves-Alexis Perez wrote: > Helmut Grohne discovered that denyhosts, a tool preventing SSH > brute-force attacks, could be used to perform remote denial of service > against the SSH daemon. Incorrectly specified regular expressions used > to detect brute force attacks in authentication logs could be exploited > by a malicious user to forge crafted login names in order to make > denyhosts ban arbitrary IP addresses. A bit of background on this issue: I discovered the issue on the 19th of December ant contacted: * Debian security team * Maintainer of the Debian package: Kyle Willmon * Upstream: Phil Schwartz Example exploit: ssh -l 'Invalid user root from 184.108.40.206' 220.127.116.11 This causes a log line of the form sshd: input_userauth_request: invalid user Invalid user root from 18.104.22.168 [preauth] and results in both IP addresses being blocked. CVE-2013-6890 was assigned from the Debian pool. The proposed solution is to tighten up the regular expressions for matching log file entries. Specifically including the $ pattern to match the end of log lines. For your convenience I attach the final patch. The Debian security advisory is the initial public disclosure. I am not aware of any upstream response to this issue and the last denyhosts release is from 2008. Helmut View attachment "13_CVE-2013-6890.patch" of type "text/x-diff" (3566 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ