OpenSSH’s newly released version 9.2p1 contains a fix for a double-free vulnerability.
Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability.
This blog post provides details on the vulnerability, who is affected, and a proof-of-concept to trigger it causing a Denial of Service (DoS).
What is OpenSSH?
OpenSSH is a popular tool used for secure communication and remote access. It was developed as a free, open-source implementation of the Secure Shell (SSH) communications protocol and is widely used for various applications.
OpenSSH provides a secure and encrypted connection between two untrusted hosts over an insecure network, making it an essential tool for remote access and secure file transfer.
With the increasing use of cloud computing and remote access to servers, OpenSSH has become a crucial tool for system administrators and developers who need to access and manage remote systems securely.
OpenSSH also supports a wide range of platforms including Linux, macOS, and Windows, making it a widely adopted tool across different operating systems. With its ease of use and strong security features, OpenSSH has become an industry-standard tool for secure remote access.
Vulnerability Background
On February 2, 2023, OpenSSH released version 9.2p1 with this security advisory. It immediately became clear this version is of interest because of the pre-auth double-free vulnerability. Searching the OpenSSH’s GitHub repository, this is the fix commit.
The commit message indicates bz3522, which refers to the Bugzilla issue reported by the user Mantas Mikulėnas.
In its report, Mantas mentions using PuTTY obsolete version 0.64, also attaching a back-trace of the double-free abort.
Research Walkthrough
To dive deeper, we set up an environment with the vulnerable OpenSSH 9.1p1 and pulled a copy of the old PuTTY 0.64 version, released 8 years ago on February 28, 2015.
The following error was returned after trying to connect with PuTTY 0.64 to the vulnerable OpenSSH server:
Since the obsolete client’s key exchange algorithms are not supported by the new OpenSSH version, we edited the sshd_config file by adding the following line to the /etc/ssh/sshd_config:
KexAlgorithms +diffie-hellman-group1-sha1
After restarting the SSH server and trying again, the following error was returned:
After adding another configuration line to the sshd_config, we were able to connect to the vulnerable OpenSSH server and reproduce the crash:
HostKeyAlgorithms +ssh-rsa
Running the server in debug mode (using the -ddd flag), the following debug message was returned:
ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:20 @ 0x7fd7473fb771) [preauth]
The Syscall number 20 is writev() which matches the Bugzilla report.
Note that the configuration changes we’ve made were only to reproduce the vulnerability through PuTTY and are not required to exploit it. As we’ll see in the PoC, the default configuration is vulnerable.
Vulnerability In-Depth Details
We started by examining the fix commit stating that compat_kex_proposal() is responsible for the double-f
