Tag Archives: OpenSSH

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387)

Leave a reply

OpenSSH regreSSHion RCE with root privileges (CVE-2024-6387)

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387). The vulnerability was discovered by Qualys. An unauthenticated remote attacker can execute arbitrary code as root. It sounds creepy. 😱🙂

This vulnerability is a regression of the CVE-2006-5051. For it, by the way, there are no signs of exploitation in the wild or exploits.

🔻 The regression happened in October 2020, starting with OpenSSH version 8.5p1
🔻 “glibc-based Linux systems” in default configuration are vulnerable, OpenBSD is not vulnerable
🔻 There are 14 million potentially vulnerable hosts on the Internet
🔻 Qualys promise not to publish the exploit, but third-party researchers can write it based on the detailed write-up

Vulnerable versions:

❌ OpenSSH < 4.4p1
❌ 8.5p1 <= OpenSSH < 9.8p1 Invulnerable versions: ✅ 4.4p1 <= OpenSSH < 8.5p1
✅ OpenSSH >= 9.8p1

Upd. Attacking a 32-bit system with ASLR in laboratory conditions took 6-8 hours. Apparently the process is not so easy. 😉

На русском

How to fix “Nessus failed to load the SSH private key” error?

2 Replies

How to fix “Nessus failed to load the SSH private key” error? If you are using Nessus to scan Linux hosts and authenticate by key, you may encounter this problem.

You have generated the keys correctly, placed the public key on a remote server. You can connect to this server using the private key.

ssh -p22 -i private_key user@server.corporation.com

But when scanning with Nessus, you get weird errors in the various plugin outputs:

  • Target Credential Status by Authentication Protocol – Failure for Provided Credentials
  • Nessus failed to load the SSH private key. Is the associated passphrase correct?
  • Failed to parse the given key information.
  • Unable to login to remote host with supplied credential sets.

Continue reading

Making Expect scripts for SSH Authentication and Privilege Elevation

2 Replies

Making Expect scripts for SSH Authentication and Privilege Elevation. Expect can help you to automate interactive console applications. For example, expect script can go to some Linux host via SSH with password authentication, make additional authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active Linux scanning, right? 🙂 For example you can get the list of installed packages and make Vulnerability Assessment without Vulnerability Scanner.

Expect SSH exec

Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use python scripts, for example paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with expect installed) to gather information from the accessible hosts.

Continue reading

Dealing with Nessus logs

2 Replies

Dealing with Nessus logs. Debugging Nessus scans is a very interesting topic. And it is not very well described even in Tenable University course. It become especially interesting when you see strange network errors in the scan results. Let’s see how we can troubleshoot Nessus scans without sending Nessus DB files to Tenable  (which is, of course, the default way 😉 ).

Nessus Logs

Default logging

Let’s see default Nessus logs. I cleared log nessusd.messages file to have only logs of the latest scan:

# echo "" > /opt/nessus/var/nessus/logs/nessusd.messages

and restarted Nessus:

# /bin/systemctl start nessusd.service

I scan only one host (test-linux-host01, 192.168.56.12) with the Advanced scan profile. No default settings was set.

As you can see from the cpe report, it’s typical Linux host with ssh server:

typical Linux host with ssh

What’s in the logs?

Continue reading

Vulners Nmap plugin

3 Replies

Vulners Nmap plugin. In previous post about Vulners vulnerability detection plugins for Burp and Google Chrome, I mentioned that it would be great to have a plugin for some free publicly available tool, like Nmap. And guys from the Vulners Team have recently released Nmap plugin. Isn’t it awesome? 🙂

Vulners Nmap vulnerability detection plugin

To detect vulnerabilities with Vulners Nmap plugin, you need to download the script and run it like this:

$ wget -O vulners.nse https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
$ nmap -sV --script vulners.nse corporation.com

The output you can see on the screenshot above.

First of all, I need to say that it’s not the full analogue of the plugins for Burp and Google Chrome.

In the current version it doesn’t analyse the content and headers of the site. It doesn’t detect vulnerabilities of standard Web applications. From the other hand, this plugin can detect vulnerabilities of network services, that plugins for Burp and Chrome obviously won’t detect.

Continue reading

SSH, SFTP, public key authentication and python

2 Replies

SSH, SFTP, public key authentication and python. SFTP is a simple and fairly reliable way to share the information within the organization. Let’s look at the situation when you need to pick up some files from a remote host with authorization by public key. And after that, let’s see how to use it with in python.

ssh sftp python

Moreover, let’s see how to work with SSH using python and execute any commands on the remote host. For example. if we need it to collect versions of installed packages and a version Linux distribution for further vulnerability analysis (see “Vulnerability Assessment without Vulnerability Scanner“). 😉

Continue reading