OpenSSH 核弹级漏洞CVE-2024-6387
Qualys 今天公布了他们在 OpenSSH 服务器中发现的一个安全漏洞,该漏洞可导致远程、非认证代码执行。在 Linux 环境下使用 GNU C 库(glibc)运行的 OpenSSH 服务器容易受到 CVE-2024-6387 的攻击,该漏洞被称为"RegreSSHion",是"SSH"和"regression"的谐音。
OpenSSH 服务器中的信号处理器竞赛条件可导致未经验证的远程代码执行。Linux 上多年前的多个 OpenSSH 版本都受到了影响。
CVE-2024-6387 影响范围较大,请立即验证并修复,验证脚本如下:
import socketimport argparseimport ipaddressimport threadingfrom queue import Queuedef is_port_open(ip, port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) try: sock.connect((ip, port)) sock.close() return True except: return Falsedef get_ssh_banner(ip, port): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2) sock.connect((ip, port)) banner = sock.recv(1024).decode().strip() sock.close() return banner except Exception as e: return str(e)def check_vulnerability(ip, port, result_queue): if not is_port_open(ip, port): result_queue.put((ip, port, 'closed', "Port closed")) return banner = get_ssh_banner(ip, port) if "SSH-2.0-OpenSSH" not in banner: result_queue.put((ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}")) return vulnerable_versions = [ 'SSH-2.0-OpenSSH_8.5p1', 'SSH-2.0-OpenSSH_8.6p1', 'SSH-2.0-OpenSSH_8.7p1', 'SSH-2.0-OpenSSH_8.8p1', 'SSH-2.0-OpenSSH_8.9p1', 'SSH-2.0-OpenSSH_9.0p1', 'SSH-2.0-OpenSSH_9.1p1', 'SSH-2.0-OpenSSH_9.2p1', 'SSH-2.0-OpenSSH_9.3p1', 'SSH-2.0-OpenSSH_9.4p1', 'SSH-2.0-OpenSSH_9.5p1', 'SSH-2.0-OpenSSH_9.6p1', 'SSH-2.0-OpenSSH_9.7p1' ] if any(version in banner for version in vulnerable_versions): result_queue.put((ip, port, 'vulnerable', f"(running {banner})")) else: result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))def main(): parser = argparse.ArgumentParser(description="Check if servers are running a vulnerable version of OpenSSH.") parser.add_argument("targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.") parser.add_argument("--port", type=int, default=22, help="Port number to check (default: 22).") args = parser.parse_args() targets = args.targets port = args.port ips = [] for target in targets: try: with open(target, 'r') as file: ips.extend(file.readlines()) except IOError: if '/' in target: try: network = ipaddress.ip_network(target, strict=False) ips.extend([str(ip) for ip in network.hosts()]) except ValueError: print(f" [-] Invalid CIDR notation: {target}") else: ips.append(target) result_queue = Queue() threads = [] for ip in ips: ip = ip.strip() thread = threading.Thread(target=check_vulnerability, args=(ip, port, result_queue)) thread.start() threads.append(thread) for thread in threads: thread.join() total_scanned = len(ips) closed_ports = 0 not_vulnerable = [] vulnerable = [] while not result_queue.empty(): ip, port, status, message = result_queue.get() if status == 'closed': closed_ports += 1 elif status == 'vulnerable': vulnerable.append((ip, message)) elif status == 'not_vulnerable': not_vulnerable.append((ip, message)) else: print(f" [!] Server at {ip}:{port} is {message}") print(f"\n Servers not vulnerable: {len(not_vulnerable)}\n") for ip, msg in not_vulnerable: print(f" [+] Server at {ip} {msg}") print(f"\n Servers likely vulnerable: {len(vulnerable)}\n") for ip, msg in vulnerable: print(f" [+] Server at {ip} {msg}") print(f"\n Servers with port 22 closed: {closed_ports}") print(f"\n Total scanned targets: {total_scanned}\n")if __name__ == "__main__": main()
Usage
python CVE-2024-6387_Check.py <targets> [--port PORT]
Examples
Single IP
python CVE-2024-6387_Check.py 192.168.1.1
Multiple IPs and Domains
python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2
CIDR Range
python CVE-2024-6387_Check.py 192.168.1.0/24
With Custom Port
python CVE-2024-6387_Check.py 192.168.1.1 example.com --port 2222
目前网上已经有利用脚本,需要立即升级。如:
https://github.com/zgzhang/cve-2024-6387-poc
https://github.com/acrono/cve-2024-6387-poc
关注公众号:拾黑(shiheibook)了解更多
友情链接:
下软件就上简单下载站:https://www.jdsec.com/
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
andmlove
关注网络尖刀微信公众号
