From a7dba2ab9e1c98361a4bf75710c69cad8250aac1 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 2 Dec 2025 08:36:16 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/network-services-pentesting/pe... --- .../pentesting-ssh.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/network-services-pentesting/pentesting-ssh.md b/src/network-services-pentesting/pentesting-ssh.md index 6761ba9dd48..944fc149753 100644 --- a/src/network-services-pentesting/pentesting-ssh.md +++ b/src/network-services-pentesting/pentesting-ssh.md @@ -335,6 +335,29 @@ id_rsa - [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt) - [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2) +## Recent Critical Vulnerabilities (2024) + +### CVE-2024-6387 – regreSSHion signal-handler race + +OpenSSH 8.5p1–9.7p1 removed the async-safe logging guard inside sshd’s `SIGALRM` handler, reintroducing CVE-2006-5051 and letting unauthenticated attackers corrupt the glibc heap as soon as `LoginGraceTime` expires. Qualys weaponized the bug for root RCE on 32-bit Linux and noted that 64-bit targets remain brute-forceable with enough grooming attempts, so prioritize hosts that still disclose those versions during banner grabs. + +Exploitation is timing-based: hammer the daemon with half-open sessions that never authenticate so the privileged monitor repeatedly hits the vulnerable signal path while you shape allocator state. + +Operator tips: + +- Fingerprint builds with `ssh -V` (remote banner) or `ssh -G | grep ^userauths` and confirm `LoginGraceTime` is non-zero. +- Pressure-test a lab target by spamming short-lived sessions that request no authentication, for example: + ```bash + parallel -j200 "timeout 3 ssh -o PreferredAuthentications=none -o ConnectTimeout=2 attacker@${TARGET}" ::: {1..4000} + ``` +- Hosts that force `LoginGraceTime 0` never touch the buggy code path—expect only a DoS angle by exhausting `MaxStartups`. + +### CVE-2024-3094 – xz/liblzma supply-chain backdoor + +XZ Utils 5.6.0 and 5.6.1 shipped trojanized release tarballs whose build scripts unpack a hidden object during Debian/RPM packaging on x86-64 Linux. The payload abuses glibc’s `IFUNC` resolver to hook `RSA_public_decrypt` in sshd (when systemd patches compel liblzma to load) and accepts attacker-signed packets for pre-auth code execution. + +Because the malicious logic lives only inside those packaged binaries, offensive validation must inspect what the victim actually installed: check `xz --version`, `rpm -qi xz`/`dpkg -l xz-utils`, compare hashes of `/usr/lib*/liblzma.so*`, and inspect `ldd /usr/sbin/sshd | grep -E "systemd|lzma"` to see whether sshd even pulls the compromised dependency. The hook stays dormant unless the process path is `/usr/sbin/sshd`, so recreating the distro build environment is often required to reproduce the backdoor in a lab. + ## Authentication State-Machine Bypass (Pre-Auth RCE) Several SSH server implementations contain logic flaws in the **authentication finite-state machine** that allow a client to send *connection-protocol* messages **before** authentication has finished. Because the server fails to verify that it is in the correct state, those messages are handled as if the user were fully authenticated, leading to **unauthenticated code execution** or session creation. @@ -400,6 +423,8 @@ The common lesson is that any deviation from the RFC-mandated state transitions - [Turgensec SSH hacking guide](https://community.turgensec.com/ssh-hacking-guide) - [Pentesting Kerberos (88) – client setup and troubleshooting](pentesting-kerberos-88/README.md) - [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html) +- [Qualys – regreSSHion remote unauthenticated code execution in OpenSSH server](https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server) +- [Snyk – The XZ backdoor (CVE-2024-3094)](https://snyk.io/blog/the-xz-backdoor-cve-2024-3094/) ## HackTricks Automatic Commands