oss-sec mailing list archives

By Date By Thread Re: [SECURITY] [DSA 2826-1] denyhosts security update From: Helmut Grohne <helmut () subdivi de>

Date: Sun, 22 Dec 2013 19:51:29 +0100

On Sun, Dec 22, 2013 at 07:26:15PM +0100, Yves-Alexis Perez wrote: Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited by a malicious user to forge crafted login names in order to make denyhosts ban arbitrary IP addresses. A bit of background on this issue: I discovered the issue on the 19th of December ant contacted: * Debian security team * Maintainer of the Debian package: Kyle Willmon * Upstream: Phil Schwartz Example exploit: ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21 This causes a log line of the form sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth] and results in both IP addresses being blocked. CVE-2013-6890 was assigned from the Debian pool. The proposed solution is to tighten up the regular expressions for matching log file entries. Specifically including the $ pattern to match the end of log lines. For your convenience I attach the final patch. The Debian security advisory is the initial public disclosure. I am not aware of any upstream response to this issue and the last denyhosts release is from 2008. Helmut Attachment: 13_CVE-2013-6890.patch

Description: By Date By Thread Current thread: Re: [SECURITY] [DSA 2826-1] denyhosts security update Helmut Grohne (Dec 22) Re: Re: [SECURITY] [DSA 2826-1] denyhosts security update Yves-Alexis Perez (Dec 22)

Helmut Grohne (Dec 22)