Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssh 6.3 regex injection vectors: inject into ruser and/or exploiting pre-specified limits set for user provided data #426

Merged
merged 3 commits into from
Nov 8, 2013
Merged

openssh 6.3 regex injection vectors: inject into ruser and/or exploiting pre-specified limits set for user provided data #426

merged 3 commits into from
Nov 8, 2013

Conversation

yarikoptic
Copy link
Member

resolution -- non-greedy matching prior <HOST> + removing length limits

@yarikoptic
BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-g…
abb012a 
…reedy
@yarikoptic
BF: disallow exploiting of non-greedy .* in previous fix by providing…
750e0c1 
… too long rhost -- do not impose length limits for user-provided input

since daemon might eventually change reported length and we would need to adjust anyways.  So limiting
in length does not provide additional security but allows for a possible injection vector
@coveralls
Copy link

Coverage Status

Coverage remained the same when pulling 750e0c1 on yarikoptic:bf/openssh6.3-regex-injection into a169bad on fail2ban:master.

@grooverdan
Copy link
Contributor

Well done and thanks Colin. I'll try to write the generic case for this exploit in DEVELOP.

Ideally this should be the kind of notes that also appear in DEV Notes: section of filters.

The 100 limits on user and host where based on the source but I'm happy for these to be width unlimited:

./auth2-hostbased.c:        "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
./auth1.c:      auth_info(authctxt, "ruser %.100s", client_user);

@yarikoptic
Copy link
Member Author

yeap - original length limiting is based on the source code, but imho absent limit is just to foolproof against possible future changes/custom patched builds etc. I will add a brief statement into DEV notes and will merge then

yarikoptic added a commit that referenced this pull request Nov 8, 2013
@yarikoptic
Merge pull request #426 from yarikoptic/bf/openssh6.3-regex-injection
ea8fce6 
openssh 6.3 regex injection vectors:  inject into ruser and/or exploiting pre-specified limits set for user provided data
@yarikoptic yarikoptic merged commit ea8fce6 into fail2ban:master Nov 8, 2013
@yarikoptic yarikoptic deleted the bf/openssh6.3-regex-injection branch November 9, 2013 01:22
@grooverdan grooverdan mentioned this pull request Nov 10, 2013
Merged
@sebres sebres mentioned this pull request Aug 18, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yarikoptic @coveralls @grooverdan