Back to list
[logs] Remote log injection paper
Jun 06 2007 08:45PM
Daniel Cid (danielcid yahoo com br)
I just finished an article about "Remote log
injection", that shows some methods to inject data
into SSH and vsftpd logs that can cause log analysis
tools to parse them incorrectly.
This paper also exposes some vulnerabilities on
DenyHosts, Fail2ban and BlockHosts that can lead to
arbitrarily injection of IP addresses in
/etc/hosts.deny. To make it more "interesting" (i.e.
worse), not only IP addresses can be added, but also
the wild card "all", causing it to block the whole
Internet out of the box (bypassing white lists).
The following paper discuss these issues and contain
the available patches for them:
Snippet from the article:
This paper talks about remote log injection, where an
external attacker can modify a log, based on the input
it provides to an application (in our case OpenSSH and
vsftpd). By modifying the way the application logs, we
are able to attack these log analysis tools. We
are not talking about local log modification or
Link to the article:
Daniel B. Cid
dcid ( at ) ossec.net
Novo Yahoo! Cadê? - Experimente uma nova busca.
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
[ reply ]
Copyright 2010, SecurityFocus