Bug 244943 - Security vulnerability - log injection vector - Remote DOS
Security vulnerability - log injection vector - Remote DOS
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: denyhosts (Show other bugs)
7
All Linux
high Severity high
: ---
: ---
Assigned To: Jason Tibbitts
Fedora Extras Quality Assurance
:
: CVE-2007-4323 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-19 19:42 EDT by Jonathan Underwood
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.6-5.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-20 16:05:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix DOS vulnerability in REGEX5 (694 bytes, patch)
2007-06-19 19:53 EDT, Jonathan Underwood
no flags Details | Diff

  None (edit)
Description Jonathan Underwood 2007-06-19 19:42:56 EDT
Description of problem:
See this:

http://www.ossec.net/en/attacking-loganalysis.html#denyhosts

which details a DOS vulnerability in the current version of Denyhosts (2.6).

In particular this part details the problem and the fix:

" FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups""")

It is basically looking for "User from .." anywhere in the log, not checking if
it is in the middle of the "bad protocol version" log. How do we fix that? Just
make the regex more robust (an "$" at the end would solve it)!

You may think it is not a big deal but what if instead of one IP address I pass
all? -- all on hosts.deny means block every IP. Would it block the whole
internet out of the box? Yes, it would! "
Comment 1 Jonathan Underwood 2007-06-19 19:48:27 EDT
A perhaps clearer description of the fix:

We spoke with DenyHosts author, Phil Schwartz, but no official patch is
available yet. However, by changing the FAILED_ENTRY_REGEX5 (at regex.py) to the
following, fixes the problem:

FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups$""") 
Comment 2 Jonathan Underwood 2007-06-19 19:53:35 EDT
Created attachment 157433 [details]
Fix DOS vulnerability in REGEX5

Trivial patch - thought it might save you a few mins :)
Comment 3 Jason Tibbitts 2007-06-19 19:54:59 EDT
Actually I've already applied a fix and a build is in progress.
Comment 4 Jonathan Underwood 2007-06-19 19:57:22 EDT
Oh, ok, sorry for the noise.
Comment 5 Jason Tibbitts 2007-06-19 20:04:28 EDT
Builds:

http://koji.fedoraproject.org/koji/buildinfo?buildID=9311 (f8)
http://koji.fedoraproject.org/koji/buildinfo?buildID=9312 (f7)

I will push the f7 package to updates-testing as soon as it's finished.  Testing
would be appreciated.  I'll push it to release tomorrow if there are no issues.
Comment 6 Jonathan Underwood 2007-06-19 20:12:25 EDT
OK, I just pulled the F7 build from Koji and installed it. Inspecting regex.py I
see the correct fix to REGEX5, as well as the previous fix to REGEX7 and so all
looks well to me.

# diff -u /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original regex.py
--- /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original    2007-06-20
00:50:28.000000000 +0100
+++ regex.py    2007-06-20 01:05:47.000000000 +0100
@@ -17,11 +17,11 @@
 
 FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*)
.*from (?P<host>.*)""")
 
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not
allowed because none of user's groups are listed in AllowGroups""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not
allowed because none of user's groups are listed in AllowGroups$""")
 
 FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string
.*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
 
-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not
listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers""")
 
 
 # these are reserved for future versions
Comment 7 Jason Tibbitts 2007-06-19 22:06:01 EDT
OK, exploit tested here on fixed package with no effect.  Fix committed to eight
branches and built for six.  Push to F7 release requested.
Comment 8 Fedora Update System 2007-06-20 16:05:43 EDT
denyhosts-2.6-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Lubomir Kundrak 2007-08-15 06:29:19 EDT
*** Bug 252291 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.