regreSSHion: exploits are already out in the wild

As expected, Proof of Concept exploits for CVE-2024-6387 are already circulating on GitHub and elsewhere.

Published 33 mins ago 3 min read


As expected from yesterday’s announcement article, the exploit code for the freshly-discovered OpenSSH “regreSSHion” vulnerability (CVE-2024-6387) has already surfaced on GitHub. This critical flaw in one of the internet’s most ubiquitous secure communication tools threatens to turn millions of systems into potential targets for malicious actors.

First reported by Qualys’ Threat Research Unit on July 1, 2024, the vulnerability affects a wide swath of Portable OpenSSH versions, from 8.5p1 to 9.7p1. At its core, it’s a nasty little race condition in the OpenSSH server (sshd) on glibc-based Linux systems that could allow unauthenticated attackers to execute arbitrary code with root privileges. In other words, it’s a hacker’s dream come true, even if it takes all night (~8 hours or ~10,000 attempts).

Qualys’ recon of affected systems showed that over 14 million OpenSSH server instances exposed to the internet could be vulnerable. Their analysis suggests that about 700,000 external internet-facing instances within their global customer base are at risk – that’s a whopping 31% of all internet-facing instances with OpenSSH.

As I said yesterday, the fact that Qualys published a detailed technical breakdown of how the vulnerability was found, it would be only a matter of time before exploits start popping up, and that is precisely the case today. A GitHub user known as “7etsuo” has published a proof-of-concept exploit for the regreSSHion vulnerability. The code, aptly titled “7etsuo-regreSSHion.c,” details step-by-step how an attacker could potentially leverage this flaw.

 * Exploit Title  : SSH Exploit for CVE-2024-6387 (regreSSHion)
 * Author         : 7etsuo
 * Date           : 2024-07-01
 * Description:
 * Targets a signal handler race condition in OpenSSH's
 * server (sshd) on glibc-based Linux systems. It exploits a vulnerability
 * where the SIGALRM handler calls async-signal-unsafe functions, leading
 * to rce as root.
 * Notes:
 * 1. Shellcode        : Replace placeholder with actual payload.
 * 2. GLIBC_BASES      : Needs adjustment for specific target systems.
 * 3. Timing parameters: Fine-tune based on target system responsiveness.
 * 4. Heap layout      : Requires tweaking for different OpenSSH versions.
 * 5. File structure offsets: Verify for the specific glibc version.

The exploit attempts to bypass ASLR (Address Space Layout Randomization) by trying multiple possible glibc base addresses. It then hammers the target server with repeated SSH connections, trying to hit the spot where the race condition can be triggered.

The exploit code implements a few key techniques:

  • Precise timing mechanisms to hit the vulnerable window just before the SIGALRM signal is triggered.
  • Heap preparation to create a favorable memory layout for exploitation.
  • Creation of fake FILE structures to manipulate memory and control execution flow.
  • A placeholder for shellcode, ready for an attacker to insert their own payload for arbitrary code execution.

While this particular code appears to be more of a proof-of-concept than a fully weaponized exploit, it significantly lowers the barrier for potential attackers, and you can bet your bottom dollar that more refined and efficient versions of this exploit are already being cooked up in the darker corners of the internet.

The publication of this exploit code turns what was already a race against time for organizations to patch their vulnerable OpenSSH installations into a full-blown sprint.

Alexander Hagenah, xaitax on GitHub, published a Python script that can mass-scan target systems that might be vulnerable to CVE-2024-6387. In his own words, “This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.”

Stack Diary has also seen attempts by malicious cybersecurity experts who are attempting to capitalize on this security issue by offering working exploits for sale:

CVE-2024-6387 exploit being offered for sale

For organizations still dragging their feet on this one, the message is clear: patch now, or prepare for a world of hurt. Here’s your to-do list:

  • Update to OpenSSH 9.8 or apply vendor-specific patches issued by your distribution.
  • Lock down SSH access with network-based access controls.
  • Get those intrusion detection systems up and running to spot exploitation attempts.
  • Audit the hell out of any systems that might have been exposed to this vulnerability.

As this situation unfolds, you can bet that cybersecurity pros worldwide will be burning the midnight oil, watching for any signs of active exploitation in the wild.

Posted by Alex Ivanovs

Alex is the lead editor at Stack Diary and covers stories on tech, artificial intelligence, security, privacy and web development. He previously worked as a lead contributor for Huffington Post for their Code column.


Related stories
1 week ago - There's also chatter about whether medium severity scare is actually code red nightmare Infosec circles are awash with chatter about a vulnerability in Ghostscript some experts believe could be the cause of several major breaches in the...
4 days ago - Citrix, SAP also deserve your attention – because miscreants are already thinking about Exploit Wednesday Patch Tuesday Clear your Microsoft system administrator's diary: The bundle of fixes in Redmond's July Patch Tuesday is a doozy,...
5 days ago - A new vulnerability in OpenSSH packages has been discovered, potentially allowing remote code execution on Red Hat Enterprise Linux (RHEL)... The post RHEL 9 OpenSSH packages affected by remote code execution flaw appeared first on Stack...
1 week ago - A severe vulnerability in OpenSSH, dubbed “regreSSHion” (CVE-2024-6387), has been discovered by the Qualys Threat Research Unit, potentially exposing millions... The post OpenSSH: race condition in sshd allows remote code execution...
1 week ago - Full system takeovers on the cards, for those with enough patience to pull it off Glibc-based Linux systems are vulnerable to a new bug (CVE-2024-6387) in OpenSSH's server (sshd) and should upgrade to the latest version.…
Other stories
38 minutes ago - The Arduino team, known for providing various electronic and microcontroller components for do-it-yourself electronic hobbyists since 2005, has announced its new product, the Plug and Make Kit. It's aimed at beginners as it removes the...
38 minutes ago - Slap these flame-friendly species on the grates and you won't be cleaning fish off the bottom of your grill this summer.
41 minutes ago - NVIDIA GeForce RTX 50 “Preliminary” GPU TDPs Revealed: RTX 5090 500W, RTX 5080 350W, RTX 5070 220W, RTX 5060 170W, RTX 5050 100W  WccftechNvidia RTX 50 graphics card family TDPs 'leaked' by Seasonic  Tom's HardwareSeasonic lists GeForce...
41 minutes ago - ‘Concord’ Impresses Some, But The Price May Be A Dealbreaker  ForbesConcord Beta Early Access: Preload and server times, PC specs, and more detailed  PlayStationSony’s new hero shooter Concord is playable this weekend for all PS Plus...
41 minutes ago - Samsung Galaxy Z Fold 6 Galaxy Flip 6 Galaxy Ring Deal Price  ForbesSamsung Galaxy Z Flip 6 hands-on: The foldable most people should buy gets one key upgrade  ZDNetWondering whether the Galaxy Z Fold 6 or Z Flip 6 are worth it? Samsung's...