Thursday, January 23, 2025
HomeCyber Security NewsPoC Exploit Released for Critical OpenSSH Vulnerability (CVE-2024-6387)

PoC Exploit Released for Critical OpenSSH Vulnerability (CVE-2024-6387)

Published on

SIEM as a Service

Follow Us on Google News

An alarming new development emerged in the cybersecurity landscape with the release of a proof-of-concept (PoC) exploit targeting the critical vulnerability identified as CVE-2024-6387.

This vulnerability, discovered by researchers at Qualys, allows remote unauthenticated attackers to execute arbitrary code on vulnerable OpenSSH servers, posing a significant risk to users relying on this widely utilized protocol for secure communication.

Overview of CVE-2024-6387

The vulnerability in question is characterized as a race condition within OpenSSH’s server daemon (sshd). Specifically, if a client does not authenticate within the defined LoginGraceTime, the system’s signal handler can lead to unsafe function calls.

The PoC exploit, developed by GitHub user YassDEV221608, is designed predominantly for 32-bit OpenSSH servers operating on Linux systems that utilize the GNU C Library (glibc). Notably, this flaw has been confirmed not to affect OpenBSD systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

As per a report by Exploit Finder, the exploit takes advantage of a signal handler race condition, which occurs when sshd’s SIGALRM handler is activated due to a failed authentication attempt. This flaw allows attackers to gain unauthorized root access by executing code.

While the exploit requires extensive attempts to succeed, as noted by cybersecurity expert Schwartz, the potential impact is severe. OpenSSH developers confirmed this vulnerability impacts only specific versions, urging users to apply patches where available.

For security professionals and researchers looking to explore the exploit, the environment is set up using Docker. Below is a sample Dockerfile to create a vulnerable OpenSSH environment:

# Dockerfile to set up vulnerable OpenSSH server

FROM i386/ubuntu:20.04

ENV DEBIAN_FRONTEND=noninteractive

RUN dpkg --add-architecture i386 && apt-get update && apt-get install -y \

    build-essential \

    wget \

    curl \

    libssl-dev:i386 \

    zlib1g-dev:i386

RUN groupadd sshd && useradd -g sshd -s /bin/false sshd

RUN wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz && \

    tar -xzf openssh-9.2p1.tar.gz && \

    cd openssh-9.2p1 && \

    ./configure && make && make install

RUN mkdir /var/run/sshd

RUN echo 'root:password' | chpasswd

RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /usr/local/etc/sshd_config && \

    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /usr/local/etc/sshd_config && \

    echo 'MaxStartups 100:30:200' >> /usr/local/etc/sshd_config

EXPOSE 22

CMD ["/usr/local/sbin/sshd", "-D"]

Building the Docker Image

To build the Docker image, use the following command:

bash

sudo docker build --platform=linux/386 -t vulnerable-openssh:9.2p1 .

Running the Docker Container

Run the container with the command:

bash

sudo docker run --platform=linux/386 -d -p 2222:22 --name vuln-ssh-32bit vulnerable-openssh:9.2p1

PoC Script for Exploiting CVE-2024-6387

The exploit script CVE-2024-6387.py is a critical part of the PoC, allowing users to scan and exploit vulnerable servers. Below is an overview of the script’s functionality:

import argparse

import threading

import socket

import time

def exploit_vulnerability(target_ip, target_port):

    # Logic to exploit CVE-2024-6387

    # (This is a simplified demonstration)

    print(f"Exploiting target: {target_ip}:{target_port}")

    # Add actual exploitation code here...

def main():

    parser = argparse.ArgumentParser(description='CVE-2024-6387 PoC Exploit Script')

    parser.add_argument('-T', '--targets', required=True, help='Target IP addresses or domain names')

    parser.add_argument('-p', '--port', default=22, help='Port number to exploit (default: 22)')

    args = parser.parse_args()

    targets = args.targets.split(',')

    threads = []

    for target in targets:

        thread = threading.Thread(target=exploit_vulnerability, args=(target, args.port))

        threads.append(thread)

        thread.start()

    for thread in threads:

        thread.join()

if __name__ == "__main__":

    main()

To protect against CVE-2024-6387, system administrators are urged to update their OpenSSH installations to the latest versions, which include critical patches addressing this vulnerability.

Additionally, configurations that limit authentication attempts and enhance logging can help mitigate the risk of exploitation.

As the cybersecurity community reacts to the implications of CVE-2024-6387, the release of this exploit underscores the necessity of proactive security measures.

Organizations using OpenSSH are strongly advised to assess their systems for vulnerabilities and implement necessary updates to safeguard against potential attacks. 

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...