Remote log injection paper

I just finished an article about “Remote log injection”, that among other things, exposes some vulnerabilities on DenyHosts, Fail2ban and BlockHosts that can lead to arbitrarily injection of IP addresses in /etc/hosts.deny. To make it more “interesting” (i.e. worse), not only IP addresses can be added, but also the wild card “all”, causing it to block the whole Internet out of the box (bypassing white lists).

The paper is available here: http://www.ossec.net/en/attacking-loganalysis.html

Snippet from the article:

The purpose of this article is to point out some vulnerabilities that I found on open source log analysis tools aimed to stop brute force scans against SSH and ftp services. Since these tools also perform active response (automatically blocking the offending IP address), they would be good examples. However, any tool that parse logs can be equally vulnerable.

We will show three 0-day denial-of-service attacks caused by remote log injection on BlockHosts, DenyHosts and fail2ban.

This paper talks about remote log injection, where an external attacker can modify a log, based on the input it provides to an application (in our case OpenSSH and vsftpd). By modifying the way the application logs, we are able to attack these log analysis tools. We are not talking about local log modification or “syslog injection”.

This entry was posted in log analysis. Bookmark the permalink.

2 Responses to Remote log injection paper

  1. duel says:

    Very good read.

  2. Pingback: OSSEC Blog » Blog Archive » Consistent logging - good separators

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>