Merge pull request #1628 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-ssh_20251202_083014

carlospolop · web-flow · commit e13211db5c0b · 2025-12-07T20:06:44.000+01:00
Research Update Enhanced src/network-services-pentesting/pen...
diff --git a/src/network-services-pentesting/pentesting-ssh.md b/src/network-services-pentesting/pentesting-ssh.md
@@ -335,6 +335,29 @@ id_rsa
 - [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
 - [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
 
+## Recent Critical Vulnerabilities (2024)
+
+### CVE-2024-6387 – regreSSHion signal-handler race
+
+OpenSSH 8.5p1–9.7p1 removed the async-safe logging guard inside sshd’s `SIGALRM` handler, reintroducing CVE-2006-5051 and letting unauthenticated attackers corrupt the glibc heap as soon as `LoginGraceTime` expires. Qualys weaponized the bug for root RCE on 32-bit Linux and noted that 64-bit targets remain brute-forceable with enough grooming attempts, so prioritize hosts that still disclose those versions during banner grabs.
+
+Exploitation is timing-based: hammer the daemon with half-open sessions that never authenticate so the privileged monitor repeatedly hits the vulnerable signal path while you shape allocator state.
+
+Operator tips:
+
+- Fingerprint builds with `ssh -V` (remote banner) or `ssh -G <target> | grep ^userauths` and confirm `LoginGraceTime` is non-zero.
+- Pressure-test a lab target by spamming short-lived sessions that request no authentication, for example:
+  ```bash
+  parallel -j200 "timeout 3 ssh -o PreferredAuthentications=none -o ConnectTimeout=2 attacker@${TARGET}" ::: {1..4000}
+  ```
+- Hosts that force `LoginGraceTime 0` never touch the buggy code path—expect only a DoS angle by exhausting `MaxStartups`.
+
+### CVE-2024-3094 – xz/liblzma supply-chain backdoor
+
+XZ Utils 5.6.0 and 5.6.1 shipped trojanized release tarballs whose build scripts unpack a hidden object during Debian/RPM packaging on x86-64 Linux. The payload abuses glibc’s `IFUNC` resolver to hook `RSA_public_decrypt` in sshd (when systemd patches compel liblzma to load) and accepts attacker-signed packets for pre-auth code execution.
+
+Because the malicious logic lives only inside those packaged binaries, offensive validation must inspect what the victim actually installed: check `xz --version`, `rpm -qi xz`/`dpkg -l xz-utils`, compare hashes of `/usr/lib*/liblzma.so*`, and inspect `ldd /usr/sbin/sshd | grep -E "systemd|lzma"` to see whether sshd even pulls the compromised dependency. The hook stays dormant unless the process path is `/usr/sbin/sshd`, so recreating the distro build environment is often required to reproduce the backdoor in a lab.
+
 ## Authentication State-Machine Bypass (Pre-Auth RCE)
 
 Several SSH server implementations contain logic flaws in the **authentication finite-state machine** that allow a client to send *connection-protocol* messages **before** authentication has finished.  Because the server fails to verify that it is in the correct state, those messages are handled as if the user were fully authenticated, leading to **unauthenticated code execution** or session creation.
@@ -400,6 +423,8 @@ The common lesson is that any deviation from the RFC-mandated state transitions
 - [Turgensec SSH hacking guide](https://community.turgensec.com/ssh-hacking-guide)
 - [Pentesting Kerberos (88) – client setup and troubleshooting](pentesting-kerberos-88/README.md)
 - [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
+- [Qualys – regreSSHion remote unauthenticated code execution in OpenSSH server](https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server)
+- [Snyk – The XZ backdoor (CVE-2024-3094)](https://snyk.io/blog/the-xz-backdoor-cve-2024-3094/)
 
 ## HackTricks Automatic Commands
 
