关联漏洞
标题:
OpenSSH 安全漏洞
(CVE-2024-6387)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 存在安全漏洞,该漏洞源于信号处理程序中存在竞争条件,攻击者利用该漏洞可以在无需认证的情况下远程执行任意代码并获得系统控制权。
描述
HASSH fingerprints for identifying OpenSSH servers potentially vulnerable to CVE-2024-6387 (regreSSHion).
介绍
# CVE-2024-6387 HASSH Fingerprints
HASSH fingerprints for identifying OpenSSH servers potentially vulnerable to CVE-2024-6387 (regreSSHion).
The primary goal of this repository is to share the generated HASSH fingerprint database. The scripts use the Shodan API to compile a list of HASSH fingerprints for vulnerable OpenSSH versions. The generated database can be used to query Shodan or Censys to identify potentially vulnerable OpenSSH servers. The `hasshdb.txt` database can also be used with my Nmap NSE script available at [hassh-utils](https://github.com/0x4D31/hassh-utils).
## Background
SSH Server Identification String (aka version string) is not a reliable way to identify SSH server implementations and versions, as it can be easily spoofed, as seen in honeypots like Cowrie. HASSH, developed by Ben Reardon (with contributions from me and John Althouse), is a fingerprinting technique that combines KEX, Encryption, MAC, and Compression algorithms from the `SSH_MSG_KEXINIT` message to create a fingerprint for specific SSH implementations. For more information about HASSH, refer to the [Salesforce engineering blog post](https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c/) and the [HASSH repository](https://github.com/corelight/hassh).
Considering the recent RCE vulnerability in OpenSSH ([Qualys blog post](https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server)), I thought it was worth generating a fingerprint database, as HASSH is supported in both Shodan and Censys and provides a more reliable method of identifying specific SSH server implementations and versions.
The HASSH fingerprint can be searched in Shodan using the `ssh.hassh` query and in Censys using the `services.ssh.hassh_fingerprint` query.
## Generated Data
The Shodan scripts produce the following data files:
- `hasshdb.txt`: A text file containing formatted HASSH fingerprints and their associated OpenSSH versions, including confidence percentages.
- `hasshdb.json`: A JSON file with the HASSH database, mapping each HASSH fingerprint to its OpenSSH versions and counts.
- `potentially-vulnerable.json`: A JSON file containing HASSH fingerprints of potentially vulnerable servers, total counts, and top 100 version/identification strings.
Note: The scripts use Shodan's facets and the `count()` method, which doesn't return detailed results and doesn't require a paid API plan. This method is also much faster than the `search()` method.
文件快照
[4.0K] /data/pocs/4a5cea42b0c1bd73f5adee2fa3637936da4c0fad
├── [4.0K] data
│ ├── [9.1K] hasshdb.json
│ ├── [6.6K] hasshdb.txt
│ ├── [ 16K] output.log
│ └── [ 64K] potentially-vulnerable.json
├── [ 11K] LICENSE
├── [2.5K] README.md
└── [4.0K] scripts
├── [4.4K] hasshdb_gen.py
└── [2.2K] hassh_query.py
2 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。