Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Fail2Ban analyses logs and other data sources in search of brute force attempts. There are plenty of rules, such as SSH, SMTP, HTTP and many many. Once it finds a pattern, it will ban the IP address.
- There are actions that occur when blocking a client; one of these is sending an email. An easy way to send an email via the Unix CLI is
$ echo "test e-mail" | mail -s "subject" user@example.org. However, this code has a deadly flaw in it! - The
mailcommand has the ability to execute code if "~!" is included in the command. In the case of fail2ban, a parameter was being included in themailcommand that that allowed for code execution. - What was the input? A call for
whois. How do we even control this? Asking an ISP to add a particular did not work, as they only change things for groups. They span up their own WhoIs server in order to attempt to run this exploit. - To make this practical, an attacker would need to force somebody to go to their WhoIs server. This could be done via a MITM attack, since whois is unencrypted anyway.
- Interesting find for a straight flaw in the
mailutilscommand.
