OpenSSH 核弹级漏洞CVE-2024-6387

安全 2024-07-25 02:45

声明：该文章由作者（软软学姐）发表，转载此文章须经作者同意并请附上出处(0XUCN)及本页链接。。

Qualys 今天公布了他们在 OpenSSH 服务器中发现的一个安全漏洞，该漏洞可导致远程、非认证代码执行。在 Linux 环境下使用 GNU C 库（glibc）运行的 OpenSSH 服务器容易受到 CVE-2024-6387 的攻击，该漏洞被称为"RegreSSHion"，是"SSH"和"regression"的谐音。

OpenSSH 服务器中的信号处理器竞赛条件可导致未经验证的远程代码执行。Linux 上多年前的多个 OpenSSH 版本都受到了影响。

CVE-2024-6387 影响范围较大，请立即验证并修复，验证脚本如下：

import socketimport argparseimport ipaddressimport threadingfrom queue import Queuedef is_port_open(ip, port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) try: sock.connect((ip, port)) sock.close() return True except: return Falsedef get_ssh_banner(ip, port): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2) sock.connect((ip, port)) banner = sock.recv(1024).decode().strip() sock.close() return banner except Exception as e: return str(e)def check_vulnerability(ip, port, result_queue): if not is_port_open(ip, port): result_queue.put((ip, port, 'closed', "Port closed")) return banner = get_ssh_banner(ip, port) if "SSH-2.0-OpenSSH" not in banner: result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}")) return vulnerable_versions = [ 'SSH-2.0-OpenSSH_8.5p1', 'SSH-2.0-OpenSSH_8.6p1', 'SSH-2.0-OpenSSH_8.7p1', 'SSH-2.0-OpenSSH_8.8p1', 'SSH-2.0-OpenSSH_8.9p1', 'SSH-2.0-OpenSSH_9.0p1', 'SSH-2.0-OpenSSH_9.1p1', 'SSH-2.0-OpenSSH_9.2p1', 'SSH-2.0-OpenSSH_9.3p1', 'SSH-2.0-OpenSSH_9.4p1', 'SSH-2.0-OpenSSH_9.5p1', 'SSH-2.0-OpenSSH_9.6p1', 'SSH-2.0-OpenSSH_9.7p1' ] if any(version in banner for version in vulnerable_versions): result_queue.put((ip, port, 'vulnerable', f"(running {banner})")) else: result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))def main(): parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.") parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.") parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).") args = parser.parse_args() targets = args.targets port = args.port ips = [] for target in targets: try: with open(target, 'r') as file: ips.extend(file.readlines()) except IOError: if '/' in target: try: network = ipaddress.ip_network(target, strict=False) ips.extend([str(ip) for ip in network.hosts()]) except ValueError: print(f" [-] Invalid CIDR notation: {target}") else: ips.append(target) result_queue = Queue() threads = [] for ip in ips: ip = ip.strip() thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue)) thread.start() threads.append(thread) for thread in threads: thread.join() total_scanned = len(ips) closed_ports = 0 not_vulnerable = [] vulnerable = [] while not result_queue.empty(): ip, port, status, message = result_queue.get() if status == 'closed': closed_ports += 1 elif status == 'vulnerable': vulnerable.append((ip, message)) elif status == 'not_vulnerable': not_vulnerable.append((ip, message)) else: print(f" [!] Server at {ip}:{port} is {message}") print(f"\n Servers not vulnerable: {len(not_vulnerable)}\n") for ip, msg in not_vulnerable: print(f" [+] Server at {ip} {msg}") print(f"\n Servers likely vulnerable: {len(vulnerable)}\n") for ip, msg in vulnerable: print(f" [+] Server at {ip} {msg}") print(f"\n Servers with port 22 closed: {closed_ports}") print(f"\n Total scanned targets: {total_scanned}\n")if __name__ == "__main__": main()