选择你喜欢的标签
我们会为你匹配适合你的网址导航

    确认 跳过

    跳过将删除所有初始化信息

    OpenSSH 核弹级漏洞CVE-2024-6387

    安全 2024-07-25 02:45

    声明:该文章由作者(软软学姐)发表,转载此文章须经作者同意并请附上出处(0XUCN)及本页链接。。

    Qualys 今天公布了他们在 OpenSSH 服务器中发现的一个安全漏洞,该漏洞可导致远程、非认证代码执行。在 Linux 环境下使用 GNU C 库(glibc)运行的 OpenSSH 服务器容易受到 CVE-2024-6387 的攻击,该漏洞被称为"RegreSSHion",是"SSH"和"regression"的谐音。

    OpenSSH 服务器中的信号处理器竞赛条件可导致未经验证的远程代码执行。Linux 上多年前的多个 OpenSSH 版本都受到了影响。

    CVE-2024-6387 影响范围较大,请立即验证并修复,验证脚本如下:

    import socketimport argparseimport ipaddressimport threadingfrom queue import Queuedef is_port_open(ip, port):    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.settimeout(1)    try:        sock.connect((ip, port))        sock.close()        return True    except:        return Falsedef get_ssh_banner(ip, port):    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.settimeout(2)        sock.connect((ip, port))        banner = sock.recv(1024).decode().strip()        sock.close()        return banner    except Exception as e:        return str(e)def check_vulnerability(ip, port, result_queue):    if not is_port_open(ip, port):        result_queue.put((ip, port, 'closed', "Port closed"))        return    banner = get_ssh_banner(ip, port)    if "SSH-2.0-OpenSSH" not in banner:        result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}"))        return    vulnerable_versions = [        'SSH-2.0-OpenSSH_8.5p1',        'SSH-2.0-OpenSSH_8.6p1',        'SSH-2.0-OpenSSH_8.7p1',        'SSH-2.0-OpenSSH_8.8p1',        'SSH-2.0-OpenSSH_8.9p1',        'SSH-2.0-OpenSSH_9.0p1',        'SSH-2.0-OpenSSH_9.1p1',        'SSH-2.0-OpenSSH_9.2p1',        'SSH-2.0-OpenSSH_9.3p1',        'SSH-2.0-OpenSSH_9.4p1',        'SSH-2.0-OpenSSH_9.5p1',        'SSH-2.0-OpenSSH_9.6p1',        'SSH-2.0-OpenSSH_9.7p1'    ]    if any(version in banner for version in vulnerable_versions):        result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))    else:        result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))def main():    parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.")    parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")    parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).")    args = parser.parse_args()    targets = args.targets    port = args.port    ips = []    for target in targets:        try:            with open(target, 'r') as file:                ips.extend(file.readlines())        except IOError:            if '/' in target:                try:                    network = ipaddress.ip_network(target, strict=False)                    ips.extend([str(ip) for ip in network.hosts()])                except ValueError:                    print(f" [-] Invalid CIDR notation: {target}")            else:                ips.append(target)    result_queue = Queue()    threads = []    for ip in ips:        ip = ip.strip()        thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue))        thread.start()        threads.append(thread)    for thread in threads:        thread.join()    total_scanned = len(ips)    closed_ports = 0    not_vulnerable = []    vulnerable = []    while not result_queue.empty():        ip, port, status, message = result_queue.get()        if status == 'closed':            closed_ports += 1        elif status == 'vulnerable':            vulnerable.append((ip, message))        elif status == 'not_vulnerable':            not_vulnerable.append((ip, message))        else:            print(f" [!] Server at {ip}:{port} is {message}")    print(f"\n Servers not vulnerable: {len(not_vulnerable)}\n")    for ip, msg in not_vulnerable:        print(f"   [+] Server at {ip} {msg}")    print(f"\n Servers likely vulnerable: {len(vulnerable)}\n")    for ip, msg in vulnerable:        print(f"   [+] Server at {ip} {msg}")    print(f"\n Servers with port 22 closed: {closed_ports}")    print(f"\n Total scanned targets: {total_scanned}\n")if __name__ == "__main__":    main()


    Usage

    python CVE-2024-6387_Check.py <targets> [--port PORT]

    Examples

    Single IP

    python CVE-2024-6387_Check.py 192.168.1.1

    Multiple IPs and Domains

    python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2

    CIDR Range

    python CVE-2024-6387_Check.py 192.168.1.0/24

    With Custom Port

    python CVE-2024-6387_Check.py 192.168.1.1 example.com --port 2222

    目前网上已经有利用脚本,需要立即升级。如:

    https://github.com/zgzhang/cve-2024-6387-poc

    https://github.com/acrono/cve-2024-6387-poc


    关注我们

    [超站]友情链接:

    四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
    关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/

    图库