Recently the news of a high severity security risk, shocked the OpenSSH world. Researchers from Qualys Security Advisory showed a remote shell possibility using a double free attach on heap combined with other techniques including unlink & aa4bmo.
In this video I'll try to go a bit deep into this attack and give you leads what to study next if you are interested while describing the technical aspects of this case.
00:00 - CVE-2024-6387
01:23 - Race Condition
04:28 - a look at RegreSSion attack on malloc & free
05:55 - Using Signals & free race condition for attacks
11:00 - How the attack on OpenSSH works
20:10 - aa4bmo attack
22:46 - Why old debian first? No ASLR nor NX
24:29 - Making things faster
OpenSSH change log: https://www.openssh.com/releasenotes....
Qualys Security Advisory: https://www.qualys.com/2024/07/01/cve...
Phrack 0x3d: http://phrack.org/issues/61/6.html#ar...
Delivering Signals for Fun and Profit: https://lcamtuf.coredump.cx/signals.txt