Recently the news of a high severity security risk, shocked the OpenSSH world. Researchers from Qualys Security Advisory showed a remote shell possibility using a double free attach on heap combined with other techniques including unlink & aa4bmo.
In this video I'll try to go a bit deep into this attack and give you leads what to study next if you are interested while describing the technical aspects of this case.
00:00 - CVE-2024-6387
01:23 - Race Condition
04:28 - a look at RegreSSion attack on malloc & free
05:55 - Using Signals & free race condition for attacks
11:00 - How the attack on OpenSSH works
20:10 - aa4bmo attack
22:46 - Why old debian first? No ASLR nor NX
24:29 - Making things faster
- OpenSSH change log: [ Ссылка ]
- Qualys Security Advisory: [ Ссылка ]
- Phrack 0x3d: [ Ссылка ]
- Delivering Signals for Fun and Profit: [ Ссылка ]
