CVE-2007-4323: DoS via log injection

Description of problem:
See this:

http://www.ossec.net/en/attacking-loganalysis.html#denyhosts

which details a DOS vulnerability in the current version of Denyhosts (2.6).

In particular this part details the problem and the fix:

" FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups""")

It is basically looking for "User from .." anywhere in the log, not checking if
it is in the middle of the "bad protocol version" log. How do we fix that? Just
make the regex more robust (an "$" at the end would solve it)!

You may think it is not a big deal but what if instead of one IP address I pass
all? -- all on hosts.deny means block every IP. Would it block the whole
internet out of the box? Yes, it would! "

A perhaps clearer description of the fix:

We spoke with DenyHosts author, Phil Schwartz, but no official patch is
available yet. However, by changing the FAILED_ENTRY_REGEX5 (at regex.py) to the
following, fixes the problem:

FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups$""")

Created attachment 157433
Fix DOS vulnerability in REGEX5

Trivial patch - thought it might save you a few mins :)

Actually I've already applied a fix and a build is in progress.

Oh, ok, sorry for the noise.

Builds:

http://koji.fedoraproject.org/koji/buildinfo?buildID=9311 (f8)
http://koji.fedoraproject.org/koji/buildinfo?buildID=9312 (f7)

I will push the f7 package to updates-testing as soon as it's finished. Testing
would be appreciated. I'll push it to release tomorrow if there are no issues.

OK, I just pulled the F7 build from Koji and installed it. Inspecting regex.py I
see the correct fix to REGEX5, as well as the previous fix to REGEX7 and so all
looks well to me.

# diff -u /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original regex.py
--- /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original 2007-06-20
00:50:28.000000000 +0100
+++ regex.py 2007-06-20 01:05:47.000000000 +0100
@@ -17,11 +17,11 @@

 FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*)
.*from (?P<host>.*)""")

-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not
allowed because none of user's groups are listed in AllowGroups""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not
allowed because none of user's groups are listed in AllowGroups$""")

 FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string
.*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")

-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not
listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers""")

 # these are reserved for future versions

OK, exploit tested here on fixed package with no effect. Fix committed to eight
branches and built for six. Push to F7 release requested.

denyhosts-2.6-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

*** Bug 252291 has been marked as a duplicate of this bug. ***