“From a theoretical viewpoint, we should discover a helpful code path that, if interrupted on the proper time by SIGALRM, leaves sshd in an inconsistent state, and we should then exploit this inconsistent state contained in the SIGALRM handler,” the researchers wrote of their technical advisory. “From a sensible viewpoint, we should discover a solution to attain this handy code path in sshd and maximize our probabilities of interrupting it on the proper time. From a timing viewpoint, we should discover a solution to additional improve our probabilities of interrupting this handy code path on the proper time, remotely.”
The researchers demonstrated the exploit in opposition to Linux techniques that use the glibc C library and on 32-bit variations as a result of the ASLR is weaker as a result of decreased reminiscence house. Nevertheless, exploitation on 64-bit techniques can also be attainable however probably tougher.
Towards OpenSSH 9.2p1 from the secure model of Debian Linux i386 the researchers wanted round 10,000 tries to win the race situation and exploit the flaw. This implies between 3-4 hours with 100 concurrent connections and a default LoginGraceTime of 120 seconds. Nevertheless, due to ASLR glibc’s tackle can solely be guessed appropriately half of the time, the time for reaching distant code execution with a root shell will increase to between 6-8 hours.
