PoC Exploit Released for Critical OpenSSH Vulnerability (CVE-2024-6387)

An alarming new development emerged in the cybersecurity landscape with the release of a proof-of-concept (PoC) exploit targeting the critical vulnerability identified as CVE-2024-6387.

This vulnerability, discovered by researchers at Qualys, allows remote unauthenticated attackers to execute arbitrary code on vulnerable OpenSSH servers, posing a significant risk to users relying on this widely utilized protocol for secure communication.

Overview of CVE-2024-6387

The vulnerability in question is characterized as a race condition within OpenSSH’s server daemon (sshd). Specifically, if a client does not authenticate within the defined LoginGraceTime, the system’s signal handler can lead to unsafe function calls.

The PoC exploit, developed by GitHub user YassDEV221608, is designed predominantly for 32-bit OpenSSH servers operating on Linux systems that utilize the GNU C Library (glibc). Notably, this flaw has been confirmed not to affect OpenBSD systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

As per a report by Exploit Finder, the exploit takes advantage of a signal handler race condition, which occurs when sshd’s SIGALRM handler is activated due to a failed authentication attempt. This flaw allows attackers to gain unauthorized root access by executing code.

While the exploit requires extensive attempts to succeed, as noted by cybersecurity expert Schwartz, the potential impact is severe. OpenSSH developers confirmed this vulnerability impacts only specific versions, urging users to apply patches where available.

For security professionals and researchers looking to explore the exploit, the environment is set up using Docker. Below is a sample Dockerfile to create a vulnerable OpenSSH environment:

# Dockerfile to set up vulnerable OpenSSH server

FROM i386/ubuntu:20.04

ENV DEBIAN_FRONTEND=noninteractive

RUN dpkg --add-architecture i386 && apt-get update && apt-get install -y \

    build-essential \

    wget \

    curl \

    libssl-dev:i386 \

    zlib1g-dev:i386

RUN groupadd sshd && useradd -g sshd -s /bin/false sshd

RUN wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz && \

    tar -xzf openssh-9.2p1.tar.gz && \

    cd openssh-9.2p1 && \

    ./configure && make && make install

RUN mkdir /var/run/sshd

RUN echo 'root:password' | chpasswd

RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /usr/local/etc/sshd_config && \

    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /usr/local/etc/sshd_config && \

    echo 'MaxStartups 100:30:200' >> /usr/local/etc/sshd_config

EXPOSE 22

CMD ["/usr/local/sbin/sshd", "-D"]

Building the Docker Image

To build the Docker image, use the following command:

bash

sudo docker build --platform=linux/386 -t vulnerable-openssh:9.2p1 .

Running the Docker Container

Run the container with the command:

bash

sudo docker run --platform=linux/386 -d -p 2222:22 --name vuln-ssh-32bit vulnerable-openssh:9.2p1

PoC Script for Exploiting CVE-2024-6387

The exploit script CVE-2024-6387.py is a critical part of the PoC, allowing users to scan and exploit vulnerable servers. Below is an overview of the script’s functionality:

import argparse

import threading

import socket

import time

def exploit_vulnerability(target_ip, target_port):

    # Logic to exploit CVE-2024-6387

    # (This is a simplified demonstration)

    print(f"Exploiting target: {target_ip}:{target_port}")

    # Add actual exploitation code here...

def main():

    parser = argparse.ArgumentParser(description='CVE-2024-6387 PoC Exploit Script')

    parser.add_argument('-T', '--targets', required=True, help='Target IP addresses or domain names')

    parser.add_argument('-p', '--port', default=22, help='Port number to exploit (default: 22)')

    args = parser.parse_args()

    targets = args.targets.split(',')

    threads = []

    for target in targets:

        thread = threading.Thread(target=exploit_vulnerability, args=(target, args.port))

        threads.append(thread)

        thread.start()

    for thread in threads:

        thread.join()

if __name__ == "__main__":

    main()

To protect against CVE-2024-6387, system administrators are urged to update their OpenSSH installations to the latest versions, which include critical patches addressing this vulnerability.

Additionally, configurations that limit authentication attempts and enhance logging can help mitigate the risk of exploitation.

As the cybersecurity community reacts to the implications of CVE-2024-6387, the release of this exploit underscores the necessity of proactive security measures.

Organizations using OpenSSH are strongly advised to assess their systems for vulnerabilities and implement necessary updates to safeguard against potential attacks. 

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!