Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Dec 2013 19:51:29 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Re: [SECURITY] [DSA 2826-1] denyhosts security update

On Sun, Dec 22, 2013 at 07:26:15PM +0100, Yves-Alexis Perez wrote:
> Helmut Grohne discovered that denyhosts, a tool preventing SSH
> brute-force attacks, could be used to perform remote denial of service
> against the SSH daemon. Incorrectly specified regular expressions used
> to detect brute force attacks in authentication logs could be exploited
> by a malicious user to forge crafted login names in order to make
> denyhosts ban arbitrary IP addresses.

A bit of background on this issue:

I discovered the issue on the 19th of December ant contacted:
 * Debian security team
 * Maintainer of the Debian package: Kyle Willmon
 * Upstream: Phil Schwartz

Example exploit:

ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21

This causes a log line of the form

sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth]

and results in both IP addresses being blocked.

CVE-2013-6890 was assigned from the Debian pool.

The proposed solution is to tighten up the regular expressions for
matching log file entries. Specifically including the $ pattern to match
the end of log lines. For your convenience I attach the final patch.

The Debian security advisory is the initial public disclosure.

I am not aware of any upstream response to this issue and the last
denyhosts release is from 2008.

Helmut

View attachment "13_CVE-2013-6890.patch" of type "text/x-diff" (3566 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ