this new SSH exploit is absolutely wild
Vložit
- čas přidán 2. 07. 2024
- OpenSSH has been rocked by a new RCE vulnerability. But, it may not be as scary as people are making it out to be. Find out why in this video.
blog.qualys.com/vulnerabiliti...
www.qualys.com/2024/07/01/cve...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥 SOCIALS 🔥
Come hang out at lowlevel.tv - Věda a technologie
haha wouldn't it be cool if you learned C and assembly haha lowlevel.academy
no it wouldnt
Bro can you please tell me how much time it takes to learn assembly language from which you can write your own script exploits and malwares and ransomwares.
And which are the best high level languages which are used to write a malware or ransomwares
no it wouldnt
@@PrinceKumar-yo9lr It really depends on what you're exploiting. If it's a local vulnerability (one through the operating system) then you'll need to have full control over the arguments you pass to the operating system's APIs. This is best done with a low level language such as C, C++, Zig, or even Rust. If you need *really* fine control, you can use Assembly, but it's not common.
However, must vulnerabilities are rooted in networking. These can be made in any language that has networking capabilities. Rust is my pick, just because of how easy it is to throw some bytes through a socket. POSIX's C sockets take a bit more work to set up than a higher-level TCP stream, but it's way better than Winsock from what I've seen.
However, this all assumes you have a vulnerability to exploit. Vulnerabilities are often patched as soon as they pop up.
Something way cooler than just malicious stuff is "fun" malware, which was away more prevalent back then. It didn't usually do anything super serious, but it would take control of the system and show you something really cool looking. There are some Windows 10 programs that do this with WinGDI (see MEMZ and Chloroform). You could learn to do the same, since it looks really cool. You don't need to exploit anything to make something really cool, just look at Furnace.
@@PrinceKumar-yo9lr 2 minutes and 34 seconds 👍
Temple OS is once again not affected? Coincidence?
Too holy to get hacked 🙏
Not a coincidence.
kowinkydink?
it's GOD'S work my dude
Thats why god uses it
That's why we call it "OpenSSH".
no cap
I still don't get why people open the SSH port when they can use wireguard since if the device is compromised all bets are off anyway
@@AkivaB Guess it's difficult to maintain the wireguard configuration for all your devices, especially for multiple users - personally I like to use an open source mesh VPN like Tailscale or ZeroTier.
the door is wide open
😂
The creativity of threat hunters will NEVER cease to amaze me
Breakers are one or several steps ahead of builders.
Agreed. People doing this kind of work are fascinating and awesome
There has to be an invisible hand from the intelligence community to plant some of these. I'm not saying that programmers never make mistakes that allow sploits, but those are probably the exception, not the rule.
@@brainites by definition, or they wouldn't be breakers. Sometimes builders can be ahead, as is the case with attempts at quantum computer proof crypto that is being worked on before quantum supremacy is reached.
The lack of creativity of developers will NEVER cease to amaze me
LLL: "It's from 20 years ago, 2006."
Me: "It's not THAT long -- Oh shit..."
Yeah, my mind jumped to the 90s as well
@@mephistovonfaust20 years ago is, and forever shall be, the 80s.
you're old
@@prototypeinheritance515 respect your elders, boyo. ;)
LOL exactly! :-) For me is 10-15 years ago in the 1980s and last year is about 2001. :-)
"Everyone can do it" - Yeah for now nobody was able to do it on a 64 bit system only on 32 bit systems lol.
just was about to comment that "everyone"-line. I doubt my mom could time the attack right.. she always forgets to compensate for latency...
Nor if there's a connection limit via firewall. Even with the biggest botnet it would take forever.
Can I just say this? Thank you Low Level Learning for dark mode. So many yt chanels flash bang me.
Nothing worse than when a CZcamsr bangs you, that’s for sure
Agreed 👏
I wish a CZcamsr bangs me too someday
@@_Salaar_khan 😂😂😂
I think at this point we can update the saying to "the three hardest problems in computer science are cache invalidation, naming things, asynchronous programs and 'Off By 1' errors"
Throw in interrupts like SigAlarm and you got a nightmare.
@99temporal I see what you did there
2B OR ≠2B
I endorse this comment.
Bugs like this are part of why I use a pretty aggressive fail2ban. The attacker doesn't get 10,000 tries... instead they get 3 tries or sometimes even less. The bans eventually expire, but instead of hours to get in, it would take decades. Plenty of time to install a fixed version.
You can get nailed on the first try if you're unlucky, or the timing might never work for an attacker. Even 64 bit systems could get catastrophically unlucky. At least it's an easy fix this time.
fail2ban is certainly a useful tool, but I can think of way to potentially dodge it, depending on how it's coded. Like most software, let's assume that it's been written with the assumptions of the IPv4 address space in mind. That is to say, a user is likely to have access to a handful of IP addresses, and can't easily get hold of more unless they are a large company or state actor. However, that's not true for IPv6, where essentially everyone gets access to a 64-bit block as normal practise. So if fail2ban isn't coded to take this into account, and is only banning singular IP addresses, then it's trivial to bypass with IPv6...you just change IP address on every operation. To counter this, fail2ban needs to be IPv6 aware, and ban the whole 64-bit block if just one address in it trips its alarms.
@@parad0xheart There are ways to make it detect and block IP ranges, in both ipv4 and ipv6. It just depends on whether the admin actually bothered.
@@parad0xheartI'm not sure about fail2ban specifically, but it's standard to block the whole /64 range for IPv6. Each customer / network is supposed to get its own /64, so it makes sense to block the entire range.
@@parad0xheart or you just disable IPv6 for SSH, by setting the protocol to "inet" in ssh config.
oh that is why an openssh update was avaliable.
They patched it already?
@@johndank2209 It was probably patched before the paper and the CVE were announced. Package maintainers get early access to security fixes so they have ample time to prepare their backports. A backport is a fixed version with security patches applied retroactively. It's how most distros work. Since many packages are binaries, they can even advance patch most systems before the actual source code changes becomes available from the OG repository. It depends on the severity of the vulnerability, but package-managed systems can actually be fully patched up to a week before the CVE drops.
@@johndank2209 it was revealed as the patch is out
Yeah Ubuntu already patched it up on July 1st
openssh 1:9.6p1-3ubuntu13.3
CVE-2024-6387
Edit:
From the bug report itself
2024-05-19: We contacted OpenSSH's developers. Successive iterations of
patches and patch reviews followed.
2024-06-20: We contacted the distros@openwall.
2024-07-01: Coordinated Release Date.
@@johndank2209 it was an accidental regression, should be super easy to patch. Just revert the code that was never supposed to be there anyway
I use sssh. Safer ssh
there is no such thing as "safe"
ssssssshhhhhh
@@ACium. sshhhh, its "safer", not "safe"
Hahaha I see what you did here!
Don't google sssh 🤣Straight to PH
This has all my windows people at work scream LINUX VIRUS and im so exhausted of telling them it would take literal hours and using fail2ban is a dead simple mitigation any public server should have anyway. Ugh... That said, this explanation was really good! Reminds me of the late Tetris level shenanigans where VBlank interrupts cause almost the same situation - albeit of a different nature.
the regression has been fixed anyway already even my old ubuntu lts jammy pi home server already got a patch for it
Like OpenSSH is not present on Windows also...
Be sure to update your fail2ban sshd filter after installing openssh 9.8 ;)
This is also more exploitable as the paper mentioned on 32-bit CPUs... which in 2024, who is seriously even using 32-bit for anything, let alone a server on the Internet for anything productive? So, this is essentially a very minor issue in my eyes and shouldn't affect that many people or servers.
...i have heard whispers & jokes of "Linux" & "packet sniffing": But they're so busy laughing that I cannot understand what they're saying... Can you comment on this at all ?
Just wanna say I love your vids man , high prod quality and clear description of the issue.
very well explained. i love that the vulnerability is put under real word context and report is not just a scary click bait. if one has a cloud server e.g. amazon, they should limit their client IP address for that ssh port.
Is that the recommended method? I also always thought It would be risky to use an ssh server outside my home network. But don't know what to do instead. What if there is a coffee shop with the same provider and open wifi nearby. Wouldn't they also have the same IP? Of course it would still be a lot harder to hack the server than.
@@leokappler2282 , your ISP typically assigns an unique but non-permanent address for each location. so your server would see different ip address at your coffee shop vs your home address unless you tunnel through your home address.
Oh boy, the rewrite in rust gang is coming!
OH LAWD! HE COMIN!
Is Rust also Thread Safe?!
@@gavabundo_0072that’s like half the whole point
@@gavabundo_0072 This vulnerability is about signal safety - that is a whole other level of safety that Rust does not provide. When the signal handler is invoked in this exploit, the heap is corrupt. If you do anything with the heap at that point, you are bound to have something exploitable and a signal handler is Rust CAN interact with the heap.
we gonna be ruSHing
Great job explaining this vulnerability. But I think you got the LoginGraceTime part wrong. According to sshd_config's man page: "The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit." - Which could result in a DoS if the maximum unauthorized connections are exhausted.
That's exactly what the paper points out. (10:58)
Please add sections to your video! 🙂
Especially for experts, it is nice to skip stuff like explanations what SSH is.
@@ForcefighterX2 +10000000
Interesting video & well explained. I'll be coming back to this channel for more content like this, good stuff! 👍
What an excellent explanation, you are a great teacher.
Subscribed!
@0:27 "...not that scary"
Title: ABSOLUTELY WILD !!!!
😂😂
great point! 🤣
Think of a giraffe. Wild? Wild. Scary? Not so much.
This is how we all live now
@@szelest88 Yeah, what they pulled off is insane and I now have much more respect for that company. I may actually attend their next webcast.
@@szelest88 *a wild exploit has appeared*
😆
That's it, you're going into the Rust rewriter
Your explaination for laypersons is very very good. I'm not a programmer or security expert by any means, but found it was easy to comprehend thanks to your summary
10:51 It does not close it immediately but rather does not close it at all. That's why as researchers mention it make you vulnerable to dos attacks as attacker does not have time limit for spawning too many waiting logins
Which could easily be a bigger problem than a vulnerability with no known exploit.
This is a really high quality and useful video for me. It makes me look smart to my bosses. Thank you :)
Finally! I don't have to worry about forgetting my password anymore.
Great video and breakdown!
Great coverage on the subject when everyone else is screaming everything could be on fire. Seriously though big points to reviewing the mitigations and explaining the exploit in a easy to consume video!
Great stuff. Thanks ever so much LLL!
Great video and explanation
Great content! Thank you!
Crazy exploit! Thanks for making me aware to this
Was waiting for this vid
I swear every time I get a notification from low level learning it's some scary vulnerability that may affect one of my systems
the last time I was this early the queen was still alive
The Queen is still alive though? 🤔
I'll be embarrassed if I check the news and see that Camilla has died...
@@MenaceInc The Queen that actually mattered, not the current one
@@mochafennec Victoria? Zenobia? Cleopatra? Freddie Mercury?
Reminds me of one of the exploits in the chain for Eternal Blue.
I wanted to touch on something you noted late in the video, regarding recommending not exposing SSH on the internet, which invites the question of what do you suggest instead? You can do a lot to try and isolate management networks/etc, but ultimately you need a legitimate way in. Your argument that 'code can have bugs' applies to pretty much anything, we've seen various firewall vendor and VPN bugs in the past, so they're not different. How would you handle remote access?
unfortunately imo the only other way is IP address whitelisting. it's not pretty but it significantly reduces the attack surface
@@LowLevelLearning I can agree with you on that. Sometimes that presents a practicality problem, but it does significantly improve the posture when possible. And then in the case of this particular bug, something like fail2ban would probably go a long way in mitigation (though not closing off the bug entirely), given the large number of tries required. Thanks as always for the great content!
@@NigelVH One low-tech way to reduce risk is to require a port knock or similar. It's primitive, but still sufficient to stop most attacks.
Run SSH on a non-standard port, use fail2ban, or limit what IP blocks you allow to access (if you're in the US, do you need to allow access from other continents?).
For big organizations that have their own IPv4 blocks they got from a RIR it's super easy, you just only allow from your own IP blocks and reject everything else
I think he was referring to don't connect it to the internet while using the vulnerable version, not don't use SSH for its intended purpose ever. If that's what he did mean, then there's a couple of things you can do like whitelisting only specific IPs, or port knocking, but these only reduce the attack surface not make it safe. IMO its worth the risk if you take proper cautions like, IP address whitelisting, but not using a tool just because there's a possibility it could be vulnerable is dumb.
I sent a similar video to someone at my office. He's like: updating the libraries now. We then talked about the importance of testing known weak points in code (since it was a regression). Gotta keep an eye on known previous points of failure.
It's amazing, the blogger is really creative and worth watching
Love your content.
Can you imagine any legacy devices common on local networks that use the vulnerable ssh? Perhaps even those not owned by the user
I think one of the best things you can do to secure your own Internet-connected server is to set up a system where you touch a specific port in a specific way to open up another port forward for the actual service. Without the initial poke at the ports, the server is never exposed to the Internet directly.
I believe this is known as "port knocking".
This is just security through obscurity.
That seems like an art piece or concept work... A meandering of what's possible, might not be practical but possible and clever none the less.
So if i understand correctly, the exploiter injects the required function pointers for shell root onto to the compromised heap via the certificates being sent?
kind of video you wanna see right after starting openSSH
frfr just setup my vps yesterday for a minecraft ds-lite nat proxy tunnel and well haha sudo apt update sudo reboot
Same! I learnt more about `ssh` and `tmux` JUST YESTERDAY and now I get to watch this!
...
Thank you, Ed. At least I know how to keep my `ssh` connections more secure _nauw!..._
thanks for the great explanation.
I don't personally like your implied criticism of open source software twards the end of these kinds of videos. While I understand being cautious, it makes it kinda feel like its somehow a bad solution to an other wise worse alternative. Personally I think instilling fear in something that has been the better choice in security since the dawn of the internet is not a good idea. I do agree that its not perfect, but until theres an objectively better option, I would prefer that you didn't make it sound as if the world is going to collapse because we rely on the better of our options in software security.
How well can that 4-6 hours be parallelized? If an attacker can work on thousands+ of targets simultaneously then it still seems pretty bad
You need a pretty stable connection for race conditions. So, working on thousands of targets would be extremely expensive.
@@somebodystealsmyname Establishing SSH connections costs very little bandwidth. Depending on the exact timing, AWS may not be enough. But a small host with good connectivity to your target ranges, which can be established with a BGP looking glass, and many of these have very limited to no KYC -- those are great for these attacks
already covered in the video. OpenSSH throttles new connections to... 100 in a second? which is why it takes 3-4 hours based on how quickly it allows connections to come in.
I mean yeah you're right, this isn't the kind of exploit to some random individual is going to use to hack into a bunch of servers. But for extremely sophisticated, targeted attacks, stuff like this can be and is exploited.
Great vid!
What a champ and good explainer.
A phrase to parallel JerryRigEverything: “Code is code, and code breaks”
@@callumbirks I have written unbreakable code
observe
int main() {
return 0;
}
yo, i'm no code guy but enjoy stuff like this from u, primeagen, dave's garage n the likes, i appreciate the logic n informative value u guys bring
This sounds like an early implementation of a TAS speed run with a wrong warp. It sounds impossible to execute but determined people can make these issues exploitable at a moment’s notice.
Yuffie mentioned.
@LowLevelLearning Have they completed the 64bit PoC yet? Last I saw they still only had only successfully exploit in 32-bit. However, they were working on a 64-bit version
Thx for ur efforts to do this video, one simple question, wouldn’t be awesome if the developers of OpenSSH project rewrite most of their base code using Rust language! Due to enormous hype about it, in which of its core features eliminating race conditions and other memory faulty stuff?!
For critical projects like this (at the very least), there should be a process built into the commit procedure that checks for various types of vulnerabilities, and especially for specific vulnerabilities that were previously found and patched.
This is literally the meaning of "grace" and since it was implement it has always been known to be a potential vulnerability.
I rarely had to do signal handlers but the first thing I do is making sure no mallocs are reachable.
So simplest way to protect is set LoginGraceTime = 0 and all even old versions sould be "safe". Is this exploit only for x86 arch? does arm32 also affected? Thinking about rasberry pi platform connected to web.
Next major version, rewritten OpenSSH with Rust.
Noob question, is LibC needed for system runtime, or is it an optional component used for compiling and so on?
5:05 maybe I’m just out of it but has anyone else had the thought “Malloc Baldwin” randomly before?
Internet, please say I’m not alone in this 😅
timing here is interesting. would an attack perhaps be exploitable faster with less network latency deviation (e.g. intra-datacenter exploits) i would presume attack could be performed much faster if you knew additional information about where in the cloud your victim is hosted and network link speeds are much more predictable.
The 10000 tries the researchers got were under lab conditions. So it will mostlikely be longer in real world conditions.
Think the research group the lowest latency they were attempting at was 10ms or something crazy low like that.
Thanks.
"Accidentally"
"Would rust have fixed this bug?"
Yes. You can screw up with signals in Rust, but you kind of have to try.
I don’t think so. A signal handler in Rust can interact with the heap which will expose you to similar issues. At the time the signal handler is invoked, the heap is in a corrupt state. There is surely a way to exploit that, even if it isn’t exactly the same bug.
@@deanjohnson8233 signals would typically be handed by Tokio or some other crate like signal_hook. These would avoid mistakes like interacting with the heap inside a signal handler. Rolling your signal handling in Rust would count as trying to be insecure to me.
@@deanjohnson8233Hol' up.
The paper mentions "if any one of these 24 free() calls is interrupted..." and "hence free(), which is not async-signal-safe". Generally in rust, whether you're in async or sync code, the compiler makes sure all the memory is deallocated once an item goes out of scope. This stands true even if the thread panics.
On top of that, you also have the type system that prevents you from using and sending non async-safe types (including functions) across multiple threads. I'm pretty sure there are still ways to screw up, but rust would make it very hard to do in the first place.
@@SanguinariusUmbra yeah but the lower levels arent made in rust. So rust is dead in the water.
Finally! I found someone that also pronounces it as 'daymon' instead of 'deamon'! A.k.a. the correct way!!!!!
Have you ever made a video on the Intel Management Engine? My professor in my OS class mentioned that every Intel chip has its own OS that is based on Minix3. I've read people call it "ring -3", and so Intel basically has a root kit on every Intel PC. I would be interested to hear your thoughts on this
Basically while the OpenSSH "regreSSHion" vulnerability sounds concerning, it's not a major threat. Exploitation is complex and requires hours of attempts under specific conditions, making widespread attacks unlikely. Many systems already have mitigations like brute-force detection in place, and the scope is limited to certain OpenSSH versions. Patch your systems
...no need to panic.
Setting LoginGraceTime to zero does not log you out after 1 failed attempt. It appears to remove a login time limit completely. While it's good to always be using the latest releases, if you are set up to disconnect after three failed attempts, is this problem moot, since timing is not involved?
Would you be able to do a video explaining ASLR? I understand the basic concept, but don't understand how it doesn't cause code to break.
10:20 So what is the alternative? Of course only having physical access to a server would be the most secure option but it is not practicable. What else can be done apart from using software such as fail2ban and putting the SSH server on a non standard port?
that sounds a lot like the kind of attacks that first kinds of hacks found on consoles to bypass protection
How would i setup my server if i wont expose ssh and still want to access it.
Use vpn to connect to network? Only allow certain ips?
so.. rustdesk x wireguard is more secure? didnt once see the point of remote control that is command line only
Would this work on ARM32 architecture? All those routers with no updates. Millions of IOT devices too. Defeating ASLR with ret2plt in non PIE binaries is something that can be done I believe. Is this a left backdoor? 🙄
2:55 yeah that article is thicc!
Is this why Xbox login (like for Minecraft) was down for 6 hours yesterday?
I usually encounter a ssh proxy. And that second level rate limits you.
all my ssh endpoints are only accessible on the assigned wireguard interface.
3:32 Not really C programming, more "I code on top of an OS" programming.
It's just that especially scripting languages don't let you interact with them directly.
Java for example uses signals to detect when you dereference a null pointer and instead of dying you get a NullPointerException.
But you can (and kinda have to) interact with signals in every at least system level programming language.
Good thing I had to power off my server due to no electricity
How do you create ASCII diagrams as shown at 6:10 ?
I love your glasses
I do not know much about this topic, but I always wondered what even the advantage of code and data sharing the same memory is? Wouldn't this kind of exploit be impossible if the PC could never point to a block of data?
Bro said "code is code." genius.
I guess C programmers need some assistence from the type system, which allows only async safe code in signal handlers. Can Rust achieve such restrictions?
I have a live trail of my fail2ban audit log on a monitor of my little 1$ VPS and boy I think I have witnessed attemps to use this since the log is exploding from 1 sec to another only from connects and disconects (no jails since they dont try logging in).
The authors of the paper quoted song lyrics by a band called The Interrupters in each chapter.
Автор видоса рассказал про отличную связку, давно на вас подписан в тг!
oh yeah, be sure to be up to date for all the security fixes
Portable version only, that is, not using BSD kernel. Plus unlikely if you are not a big target (like a public ip address)
I think you’re the only youtuber who covers this with proper manner instead of reading some news outlet who wrote no background of programming
Wouldn't it be trivial to protect against this by using a system that blocks IPs after several invalid login attempts (like Crowdsec, fail2ban, denyhosts, etc)?
You missed one of the interesting bits - why it's a regression. OpenBSD implemented a signal-safe version of syslog() so they cleaned up the signal handler to use that. But ports without safe syslog() became vulnerable again because OpenSSH depended on the safe OpenBSD version. It's a fascinating interaction where making things safer paradoxically opened a vulnerability. I don't know what the answer is - everybody should be watching what OpenBSD does and following suit but that takes time to catch up. maybe OpenBSD needs to drastically rename interfaces when they fix them so it's extremely obvious that using the older interface is dangerous? This isn't the first time porting OpenSSH has caused problems, and probably won't be the last. Debian famously fixed an uninitialized memory read "error" and generated the same 65,000 SSH keys on every system.
Everything else aside, I'm really happy the paper starts by quoting The Interrupters.
Not worried about it myself but after hearing you need multiple connections would fail2ban not also fix the issue?
Kind of. It does jail, but only short term from what I’ve seen. And even then it needs to be tuned since it can miss things. It’s possible for someone to attack all day up to the 60’s and not get stopped. I’m sure someone has better info on the subject but that’s what I’ve seen.
The way you say qualys as "qualles" 0:12 😵💫
Not me typing in my shell ssh -V asap
But if this really boils down to signal + malloc, isn't a lot of software besides OpenSSH affected? And does this mean that signals are useless for everything except maybe doing some cleanup and logging before shutting the process down?
I really hope I misunderstood something.
Every time when i see exploit like this i wonder, maybe it is not feasible for remote access, but could be used for privileges escalation for local users and rooting phones, consoles etc.