CVE-2007-4323: DoS via log injection
Bug #162406 reported by
William Grant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
denyhosts (Fedora) |
Fix Released
|
High
|
|||
denyhosts (Gentoo Linux) |
Fix Released
|
Low
|
|||
denyhosts (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Edgy |
Fix Released
|
Undecided
|
William Grant | ||
Feisty |
Fix Released
|
Undecided
|
William Grant | ||
Gutsy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: denyhosts
DenyHosts 2.6 does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6301.
This is fixed in >= Gutsy, but affects Feisty, and potentially Edgy.
Changed in denyhosts: | |
status: | New → Fix Released |
assignee: | nobody → fujitsu |
status: | New → In Progress |
Changed in denyhosts: | |
status: | New → Fix Released |
assignee: | nobody → fujitsu |
status: | New → In Progress |
Changed in denyhosts: | |
status: | Unknown → Fix Released |
Changed in denyhosts: | |
status: | Unknown → Fix Released |
Changed in denyhosts: | |
status: | In Progress → Fix Committed |
status: | In Progress → Fix Committed |
Changed in denyhosts: | |
status: | Fix Committed → Fix Released |
Changed in denyhosts (Gentoo Linux): | |
importance: | Unknown → Low |
Changed in denyhosts (Fedora): | |
importance: | Unknown → High |
To post a comment you must log in.
Description of problem:
See this:
http:// www.ossec. net/en/ attacking- loganalysis. html#denyhosts
which details a DOS vulnerability in the current version of Denyhosts (2.6).
In particular this part details the problem and the fix:
" FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups""")
It is basically looking for "User from .." anywhere in the log, not checking if
it is in the middle of the "bad protocol version" log. How do we fix that? Just
make the regex more robust (an "$" at the end would solve it)!
You may think it is not a big deal but what if instead of one IP address I pass
all? -- all on hosts.deny means block every IP. Would it block the whole
internet out of the box? Yes, it would! "