Insane Vulnerability In OpenSSH Discovered

preview_player
Показать описание
Recorded live on twitch, GET IN

### Article

### My Stream

### Best Way To Support Me
Become a backend engineer. Its my favorite site

This is also the best way to support me is to support yourself becoming a better backend engineer.

MY MAIN YT CHANNEL: Has well edited engineering videos

Discord

  1. ThePrimeTime
  2. programming
  3. software engineer
  4. software engineering
  5. developer
  6. web design
Рекомендации по теме
this SSH exploit 0:11:59

this SSH exploit is absolutely wild

Linux got wrecked 0:04:32

Linux got wrecked by backdoor attack

new linux exploit 0:08:29

new linux exploit is absolutely insane

How a Hacker 0:15:57

How a Hacker Saved The Internet

Unauthenticated RCE was 0:13:23

Unauthenticated RCE was Found in OpenSSH - RegreSSHion - CVE-2024-6387

secret backdoor found 0:08:28

secret backdoor found in open source software (xz situation breakdown)

regreSSHion: Old OpenSSH 0:14:06

regreSSHion: Old OpenSSH Vuln Returns With A Vengeance

What Everyone Missed 0:20:24

What Everyone Missed About The Linux Hack

Explaining Your Job 0:02:54

Explaining Your Job To Your Boomer Boss | Mr. Robot

Nmap Tutorial to 0:17:09

Nmap Tutorial to find Network Vulnerabilities

Deep Dive into 0:32:45

Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots

OpenSSH backdoor'ed via 0:45:32

OpenSSH backdoor'ed via XZ & Systemd on RedHat & Debian systemd: multi-year effort by s...

How to know 0:10:19

How to know if your PC is hacked? Suspicious Network Activity 101

Shodan Secrets: Find 0:06:03

Shodan Secrets: Find Vulnerable devices EASY - Tutorial

learning hacking? DON'T 0:12:49

learning hacking? DON'T make this mistake!! (hide yourself with Kali Linux and ProxyChains)

Stop Using Tor 0:11:41

Stop Using Tor With VPNs

Remotely Control Any 0:04:59

Remotely Control Any PC in 4 mins 59 seconds

How Hackers Remotely 0:09:47

How Hackers Remotely Control Any PC?!

Haunt a Computer 0:19:10

Haunt a Computer Using SSH [Tutorial]

how to get 0:20:08

how to get remote access to your hacking targets // reverse shells with netcat (Windows and Linux!!)

How to hack 0:00:37

How to hack WebCams

60 Hacking Commands 0:27:01

60 Hacking Commands You NEED to Know

Remote Command Execution 0:12:56

Remote Command Execution Explained and Demonstrated!

how hackers hack 0:09:06

how hackers hack any website in 9 minutes 6 seconds?!

Комментарии
Автор

So this is the backdoor that 10x dev was talking about?

pearshaped
Автор

My phone started blowing up last night right as I was about to take a shower. I was sitting there checking our infra butt naked. Jokes on me, the version of OpenSSH on our servers was old enough to not be impacted.

alexanderjordan
Автор

this dyslexic man is doing his best to read for us and you're laughing

tato-chip
Автор

Curious that they mention that the code that fixed this was "accidentally removed" again and again. Knowing what we know about agents introducing backdoors intentionally, how are they so sure that this was an accident? Not saying we should immediately start pointing fingers for sure, but going to the other extreme and emphasizing it was an "accident" without knowing it to be so also seems like a dangerous assumption.

SundaraRamanR
Автор

Rare case when hacking/it security really looks like it's imagined to be: reading source code for hidden vulnerabilities that can be exploited with incomprehensible dark magic.

Lvvn
Автор

19:40 - actually the point is that is packet (with a final byte) is very tiny, it doesn't get segmented and then re-assembled at any point over the internet, hence delivering it is way more reliable from timing perspective, than sending a large chunky boy.

tommybronze
Автор

0:33 we should -thank- *PAY* OpenSSH devs for their work.

orterves
Автор

29:00 - they send authentication KEY - which is memcopied from packet into the memory for auth checking - this is why it's important to cause sigalarm while it's being checke, because they KEY is the malicious payload that when executed right jumps the execution pointer to "yes this dude is valid and give him shell"

tommybronze
Автор

I just came here to say that this doesn't affect OpenBSD, the project that created and maintains OpenSSH.

AntranigVartanian
Автор

Malloc internals (and the internal locking mechanisms) are some advanced voodoo. My traumatic encounter with malloc internals:

A few years back I was troubleshooting what we thought was a memory leak. Turned out it wasn't a leak per se; what had happened was that a new "optimization" had been added to glibc's malloc implementation, which attempted to mitigate lock contention by creating new heap arenas whenever two threads collided on a lock. The idea being that threads which did a lot of malloc/free calls would effectively get their own dedicated heap arenas (eventually), thereby minimizing future lock contention.

Problem was, over time this would cause the number of heap arenas to asymptotically approach the number of threads. And since heap arenas were created with a certain minimum size (64MB IIRC), in a long-running application with hundreds of threads you could eventually chew up ridiculous amounts of RAM.

Mitigation involved setting an environment variable to cap the maximum number of heap arenas, and living with the (tiny) performance hit from heap lock contention.

MikeU
Автор

6-8 hours sounds long, but if you target the attack to start overnight or on on the weekend, that's incredibly serious.

alexlowe
Автор

'So we started reading glibc malloc code'

IsZomg
Автор

Just something to note, just checking the package version is not enough to assert the package is vulnerable, debian and ubuntu often backport patches for CVEs from later software versions, so even if you are using a supposed "vulnerable" version, if you check the package notes (and the package per se) you will see a lot of patches, especially in LTS versions.

ElMarcoh
Автор

I'm a normie corporate guy who manages some websites. This is such a great channel just for late-breaking security news.

Thank you!

nateofthesouth
Автор

Im just a dumb web developer and don't understand any of this

faarao
Автор

I'm just thrilled to see so many references to one of my favorite modern ska bands! :D

CaptTerrific
Автор

Gotta get LowLevelLearning in on this, this stuff is his bread and butter

xB-ygiw
Автор

On Unbuntu servers 1 line patch is: pro fix CVE-2024-6387

Binxalot
Автор

Wonder if something like the delay symptom they spotted in that xz backoor could be used to nail this window more consistently?

Like a minor issue in one oss giving better odds at a basically probabilistic attack on another...

carchocolate
Автор

TL;DR: ssh was supposed to use single-threaded but was executed as effectively multi-threaded thanks to SIGALARM being implemented incorrectly (single-threaded program should not cause any non-volatile changes to program state from SIGALARM handler).

Had all of ssh been written as multi-threaded code the SIGALARM handler would have worked as expected because it would have had to use proper locking to access shared memory structures. Of course, that would have been true only if somebody had been able to write *correct* multi-threaded code in C – that is, without any security vulnerabilities. Even Linux kernel fails this every now and then.

Human programmers are not careful enough to write security sensitive code in C except for random happy mistakes.

Update: 41:05 Yes, in other words it's re-entrant bug. Shouldn't happen in single-threaded code in theory but incorrectly written signal handlers can break those assumptions.

MikkoRantalainen
welcome to shbcf.ru