OpenSSH 核彈級漏洞CVE-2024-6387

安全 2024-07-25 02:45

聲明：該文章由作者（軟軟學(xué)姐）發(fā)表，轉(zhuǎn)載此文章須經(jīng)作者同意并請附上出處(0XUCN)及本頁鏈接。。

Qualys 今天公布了他們在 OpenSSH 服務(wù)器中發(fā)現(xiàn)的一個安全漏洞，該漏洞可導(dǎo)致遠(yuǎn)程、非認(rèn)證代碼執(zhí)行。在 Linux 環(huán)境下使用 GNU C 庫（glibc）運(yùn)行的 OpenSSH 服務(wù)器容易受到 CVE-2024-6387 的攻擊，該漏洞被稱為"RegreSSHion"，是"SSH"和"regression"的諧音。

OpenSSH 服務(wù)器中的信號處理器競賽條件可導(dǎo)致未經(jīng)驗(yàn)證的遠(yuǎn)程代碼執(zhí)行。Linux 上多年前的多個 OpenSSH 版本都受到了影響。

CVE-2024-6387 影響范圍較大，請立即驗(yàn)證并修復(fù)，驗(yàn)證腳本如下：

import socketimport argparseimport ipaddressimport threadingfrom queue import Queuedef is_port_open(ip, port): ? ?sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ? ?sock.settimeout(1) ? ?try: ? ? ? ?sock.connect((ip, port)) ? ? ? ?sock.close() ? ? ? ?return True ? ?except: ? ? ? ?return Falsedef get_ssh_banner(ip, port): ? ?try: ? ? ? ?sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ? ? ? ?sock.settimeout(2) ? ? ? ?sock.connect((ip, port)) ? ? ? ?banner = sock.recv(1024).decode().strip() ? ? ? ?sock.close() ? ? ? ?return banner ? ?except Exception as e: ? ? ? ?return str(e)def check_vulnerability(ip, port, result_queue): ? ?if not is_port_open(ip, port): ? ? ? ?result_queue.put((ip, port, 'closed', "Port closed")) ? ? ? ?return ? ?banner = get_ssh_banner(ip, port) ? ?if "SSH-2.0-OpenSSH" not in banner: ? ? ? ?result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}")) ? ? ? ?return ? ?vulnerable_versions = [ ? ? ? ?'SSH-2.0-OpenSSH_8.5p1', ? ? ? ?'SSH-2.0-OpenSSH_8.6p1', ? ? ? ?'SSH-2.0-OpenSSH_8.7p1', ? ? ? ?'SSH-2.0-OpenSSH_8.8p1', ? ? ? ?'SSH-2.0-OpenSSH_8.9p1', ? ? ? ?'SSH-2.0-OpenSSH_9.0p1', ? ? ? ?'SSH-2.0-OpenSSH_9.1p1', ? ? ? ?'SSH-2.0-OpenSSH_9.2p1', ? ? ? ?'SSH-2.0-OpenSSH_9.3p1', ? ? ? ?'SSH-2.0-OpenSSH_9.4p1', ? ? ? ?'SSH-2.0-OpenSSH_9.5p1', ? ? ? ?'SSH-2.0-OpenSSH_9.6p1', ? ? ? ?'SSH-2.0-OpenSSH_9.7p1' ? ?] ? ?if any(version in banner for version in vulnerable_versions): ? ? ? ?result_queue.put((ip, port, 'vulnerable', f"(running {banner})")) ? ?else: ? ? ? ?result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))def main(): ? ?parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.") ? ?parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.") ? ?parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).") ? ?args = parser.parse_args() ? ?targets = args.targets ? ?port = args.port ? ?ips = [] ? ?for target in targets: ? ? ? ?try: ? ? ? ? ? ?with open(target, 'r') as file: ? ? ? ? ? ? ? ?ips.extend(file.readlines()) ? ? ? ?except IOError: ? ? ? ? ? ?if '/' in target: ? ? ? ? ? ? ? ?try: ? ? ? ? ? ? ? ? ? ?network = ipaddress.ip_network(target, strict=False) ? ? ? ? ? ? ? ? ? ?ips.extend([str(ip) for ip in network.hosts()]) ? ? ? ? ? ? ? ?except ValueError: ? ? ? ? ? ? ? ? ? ?print(f" [-] Invalid CIDR notation: {target}") ? ? ? ? ? ?else: ? ? ? ? ? ? ? ?ips.append(target) ? ?result_queue = Queue() ? ?threads = [] ? ?for ip in ips: ? ? ? ?ip = ip.strip() ? ? ? ?thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue)) ? ? ? ?thread.start() ? ? ? ?threads.append(thread) ? ?for thread in threads: ? ? ? ?thread.join() ? ?total_scanned = len(ips) ? ?closed_ports = 0 ? ?not_vulnerable = [] ? ?vulnerable = [] ? ?while not result_queue.empty(): ? ? ? ?ip, port, status, message = result_queue.get() ? ? ? ?if status == 'closed': ? ? ? ? ? ?closed_ports += 1 ? ? ? ?elif status == 'vulnerable': ? ? ? ? ? ?vulnerable.append((ip, message)) ? ? ? ?elif status == 'not_vulnerable': ? ? ? ? ? ?not_vulnerable.append((ip, message)) ? ? ? ?else: ? ? ? ? ? ?print(f" [!] Server at {ip}:{port} is {message}") ? ?print(f"\n Servers not vulnerable: {len(not_vulnerable)}\n") ? ?for ip, msg in not_vulnerable: ? ? ? ?print(f" ? [+] Server at {ip} {msg}") ? ?print(f"\n Servers likely vulnerable: {len(vulnerable)}\n") ? ?for ip, msg in vulnerable: ? ? ? ?print(f" ? [+] Server at {ip} {msg}") ? ?print(f"\n Servers with port 22 closed: {closed_ports}") ? ?print(f"\n Total scanned targets: {total_scanned}\n")if __name__ == "__main__": ? ?main()