exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

denyfailblock-inject.txt

denyfailblock-inject.txt
Posted Jun 7, 2007
Authored by Daniel B. Cid | Site ossec.net

DenyHosts, Fail2ban, and BlockHosts are vulnerable to remote log injection attacks that can lead to arbitrary injection of IP addresses in /etc/hosts.deny.

tags | advisory, remote, arbitrary
SHA-256 | 8bda772b2de34916e706de270c5be22d04dc763b90b83e944118ee2f55ecc07e

denyfailblock-inject.txt

Change Mirror Download
Hi List,

DenyHosts, Fail2ban and BlockHosts are vulnerable to remote log injection
that can lead to arbitrarily injection of IP addresses in /etc/hosts.deny. To
make it more "interesting", not only IP addresses can be added, but
also the wild card "all", causing it to block the whole Internet out of the
box (bypassing white lists) -- see DenyHosts exploit example.

The following paper discuss these issues and contain the available
patches for them:

http://www.ossec.net/en/attacking-loganalysis.html


Snippet from the article:
"
The purpose of this article is to point out some vulnerabilities that
I found on open source log analysis tools aimed to stop brute force
scans against SSH and ftp services. Since these tools also perform
active response (automatically blocking the offending IP address),
they would be good examples. However, any tool that parse logs can be
equally vulnerable.

We will show three 0-day denial-of-service attacks caused by remote
log injection on BlockHosts, DenyHosts and fail2ban.

This paper talks about remote log injection, where an external
attacker can modify a log, based on the input it provides to an
application (in our case OpenSSH and vsftpd). By modifying the way the
application logs, we are able to attack these log analysis tools. We
are not talking about local log modification or "syslog injection".
"


Links to these tools:
http://denyhosts.sourceforge.net/
http://www.aczoom.com/cms/blockhosts
http://www.fail2ban.org


Link to the article:
http://www.ossec.net/en/attacking-loganalysis.html

Available patches:
http://www.ossec.net/en/attacking-loganalysis.html#patches


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close