21-07-25, 10:02 PM
Hello darkforums, Today I discovered another 0day in OpenSSH portable: [/url]https://github.com/openssh/openssh-portable/tree/masteropenssh-portable: Portable OpenSSH
Quick summary of how it works: In the OpenSSH portable source code, the function handling X11 forwarding parses the DISPLAY environment variable (e.g. localhost:10.0) to extract the display number
the following vulnerable code snippet is in: channels.c in the github source code I linked
Screenshot of the vulnerable code: https://files.catbox.moe/xvl8qt.jpeg
Why it a problem: [url=https://snippet.host/dwkhzw]https://snippet.host/dwkhzw
Here is all the conditions for it to be exploited: https://snippet.host/tymjda
Here’s a PoC that:
Exploit code: https://snippet.host/ewegyk written in python
The expected result:
How to fix it: https://snippet.host/bgiocf
Security impact: https://snippet.host/dnfgny
Alright guys, follow these steps and you'll basically be good to go in exploiting this vulnerability, but if you want a version of the exploit written in C (plus a guide on how to set it up) and a full testbed docker image that includes a vulnerable sshd to experiment with this, then continue reading
Exploit written in C: https://snippet.host/yhmefi
How to compile and run:
gcc -o ssh_x11_crash_poc ssh_x11_crash_poc.c
./ssh_x11_crash_poc
Server setup notes to trigger the vulnerability: https://snippet.host/xammao
Expected outcome: https://snippet.host/khdyre
Here is a .tar version of the exploit to experiment with: https://files.catbox.moe/9ca66g.gz
Here is how you can run it in linux:
tar -xvzf openssh_x11_lab.tar.gz
cd openssh_x11_lab
docker build -t openssh-x11-lab .
docker run -it -p 2222:22 openssh-x11-lab
Quick summary of how it works: In the OpenSSH portable source code, the function handling X11 forwarding parses the DISPLAY environment variable (e.g. localhost:10.0) to extract the display number
the following vulnerable code snippet is in: channels.c in the github source code I linked
Screenshot of the vulnerable code: https://files.catbox.moe/xvl8qt.jpeg
Why it a problem: [url=https://snippet.host/dwkhzw]https://snippet.host/dwkhzw
Here is all the conditions for it to be exploited: https://snippet.host/tymjda
Here’s a PoC that:
- Connects to an OpenSSH server with X11 forwarding
- Sends a Malformed display string
- Triggers a crash in channels.c when the server tries to parse it
Exploit code: https://snippet.host/ewegyk written in python
The expected result:
- On the server:
- When OpenSSH daemon tries to set up the X11 channel, it will hit:
Code:colon = strrchr(display, ':'); // colon = NULL
sscanf(colon + 1, ...) // BOOM: invalid memory access - This leads to:
- crash (segfault)
- Possibly written to logs or core dump
- When OpenSSH daemon tries to set up the X11 channel, it will hit:
How to fix it: https://snippet.host/bgiocf
Security impact: https://snippet.host/dnfgny
Alright guys, follow these steps and you'll basically be good to go in exploiting this vulnerability, but if you want a version of the exploit written in C (plus a guide on how to set it up) and a full testbed docker image that includes a vulnerable sshd to experiment with this, then continue reading
Exploit written in C: https://snippet.host/yhmefi
How to compile and run:
gcc -o ssh_x11_crash_poc ssh_x11_crash_poc.c
./ssh_x11_crash_poc
Server setup notes to trigger the vulnerability: https://snippet.host/xammao
Expected outcome: https://snippet.host/khdyre
Here is a .tar version of the exploit to experiment with: https://files.catbox.moe/9ca66g.gz
Here is how you can run it in linux:
tar -xvzf openssh_x11_lab.tar.gz
cd openssh_x11_lab
docker build -t openssh-x11-lab .
docker run -it -p 2222:22 openssh-x11-lab