Bug 244943 - Security vulnerability - log injection vector - Remote DOS
Summary: Security vulnerability - log injection vector - Remote DOS
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: denyhosts   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Jason Tibbitts
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: CVE-2007-4323 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-19 23:42 UTC by Jonathan Underwood
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 2.6-5.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-20 20:05:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix DOS vulnerability in REGEX5 (694 bytes, patch)
2007-06-19 23:53 UTC, Jonathan Underwood
no flags Details | Diff

Description Jonathan Underwood 2007-06-19 23:42:56 UTC
Description of problem:
See this:

http://www.ossec.net/en/attacking-loganalysis.html#denyhosts

which details a DOS vulnerability in the current version of Denyhosts (2.6).

In particular this part details the problem and the fix:

" FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups""")

It is basically looking for "User from .." anywhere in the log, not checking if
it is in the middle of the "bad protocol version" log. How do we fix that? Just
make the regex more robust (an "$" at the end would solve it)!

You may think it is not a big deal but what if instead of one IP address I pass
all? -- all on hosts.deny means block every IP. Would it block the whole
internet out of the box? Yes, it would! "

Comment 1 Jonathan Underwood 2007-06-19 23:48:27 UTC
A perhaps clearer description of the fix:

We spoke with DenyHosts author, Phil Schwartz, but no official patch is
available yet. However, by changing the FAILED_ENTRY_REGEX5 (at regex.py) to the
following, fixes the problem:

FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups$""") 

Comment 2 Jonathan Underwood 2007-06-19 23:53:35 UTC
Created attachment 157433 [details]
Fix DOS vulnerability in REGEX5

Trivial patch - thought it might save you a few mins :)

Comment 3 Jason Tibbitts 2007-06-19 23:54:59 UTC
Actually I've already applied a fix and a build is in progress.

Comment 4 Jonathan Underwood 2007-06-19 23:57:22 UTC
Oh, ok, sorry for the noise.

Comment 5 Jason Tibbitts 2007-06-20 00:04:28 UTC
Builds:

http://koji.fedoraproject.org/koji/buildinfo?buildID=9311 (f8)
http://koji.fedoraproject.org/koji/buildinfo?buildID=9312 (f7)

I will push the f7 package to updates-testing as soon as it's finished.  Testing
would be appreciated.  I'll push it to release tomorrow if there are no issues.

Comment 6 Jonathan Underwood 2007-06-20 00:12:25 UTC
OK, I just pulled the F7 build from Koji and installed it. Inspecting regex.py I
see the correct fix to REGEX5, as well as the previous fix to REGEX7 and so all
looks well to me.

# diff -u /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original regex.py
--- /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original    2007-06-20
00:50:28.000000000 +0100
+++ regex.py    2007-06-20 01:05:47.000000000 +0100
@@ -17,11 +17,11 @@
 
 FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*)
.*from (?P<host>.*)""")
 
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not
allowed because none of user's groups are listed in AllowGroups""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not
allowed because none of user's groups are listed in AllowGroups$""")
 
 FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string
.*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 
-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not
listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers""")
 
 
 # these are reserved for future versions


Comment 7 Jason Tibbitts 2007-06-20 02:06:01 UTC
OK, exploit tested here on fixed package with no effect.  Fix committed to eight
branches and built for six.  Push to F7 release requested.

Comment 8 Fedora Update System 2007-06-20 20:05:43 UTC
denyhosts-2.6-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Lubomir Kundrak 2007-08-15 10:29:19 UTC
*** Bug 252291 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.