When first reported in 2006, this was described as a race condition that could lead to a denial of service (process crash) with possible arbitrary code execution, although the latter has never been proven because doing so requires winning the race condition. by the attacker – which means it takes a lot of effort to succeed.
When they discovered that the bug was reactivated due to the accidental removal of a critical component of the functionality that made OpenSSH safe from this issue, Qualys researchers set out to prove that remote code execution is possible despite the race condition barrier. In fact, they had an even more difficult task ahead of them because since 2006 memory security technologies such as Address Space Layout Randomization (ASLR) were introduced in Linux and other operating systems to make exploitation difficult.
“From a theoretical point of view, we should find a useful code method that, if interrupted at the right time by SIGALRM, leaves sshd in a fixed state, and we should use this fixed state inside the SIGALRM handler,” the researchers wrote. in their technical advice. “From a practical point of view, we have to find a way to access this useful code path in sshd and increase our chances of interrupting it at the right time. From a timing perspective, we have to find a way to increase our chances of disrupting this useful coding system at the right time, remotely.”
Source link