OpenSSH 信号处理竞争条件漏洞

漏洞信息

漏洞名称: OpenSSH 信号处理竞争条件漏洞

漏洞编号:

  • CVE: CVE-2024-6409

漏洞类型: 权限提升

漏洞等级: 高危

漏洞描述: OpenSSH是一个广泛使用的开源SSH协议实现,用于安全远程登录、文件传输等操作,是许多Linux和Unix系统的标准组件。此次发现的漏洞存在于OpenSSH服务器(sshd)的信号处理机制中。具体来说,当远程攻击者在设定的时间内未完成认证时,sshd的SIGALRM处理程序会被异步调用。然而,该信号处理程序调用了包括syslog()在内的多个非异步信号安全函数,从而引入了竞争条件。这种设计缺陷可能导致在攻击成功的情况下,攻击者能够以运行sshd服务的非特权用户身份执行远程代码(RCE)。由于OpenSSH的广泛部署,该漏洞的影响范围较大,攻击者可能利用此漏洞在未授权的情况下提升权限,进而控制受影响的系统。鉴于漏洞的严重性和潜在的攻击面,建议所有使用受影响版本OpenSSH的用户尽快升级到安全版本。

产品厂商: OpenSSH

产品名称: OpenSSH

影响版本: 8.7 <= version <= 8.8

来源: https://github.com/projectdiscovery/nuclei-templates/blob/4d108d69ca82153ca12a54a84d44388807e134b2/network%2Fcves%2F2024%2Fcve-2024-6409.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

id: cve-2024-6409

info:
  name: OpenSSH CVE-2024-6409 
  author: bahlawi89
  severity: high
  description: |
     A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd).
     If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously.
     However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().
     As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6409
  metadata:
    cve-id: CVE-2024-6409
    cvss-score: 7.0
    verified: true
  tags: cve,cve2024,openssh,CVE-2024-6409

network:
  - inputs:
      - data: "\n"
    host:
      - "{{Hostname}}"
    port: 22
    matchers-condition: and
    matchers:
      - type: regex
        name: is_openssh
        regex:
          - 'SSH-.*OpenSSH'
      - type: regex
        name: vulnerable
        regex:
          - 'OpenSSH_8\.7(?:[^0-9]|$)'
          - 'OpenSSH_8\.8(?:[^0-9]|$)'
        condition: or
    extractors:
      - type: regex
        name: banner
        regex:
          - '^(SSH-[^\r\n]+)'
        group: 1


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限提升
OpenSSH 信号处理竞争条件漏洞
http://example.com/2025/07/23/github_1789255041/
作者
lianccc
发布于
2025年7月23日
许可协议