“From a theoretical standpoint, we should discover a helpful code path that, if interrupted on the proper time by SIGALRM, leaves sshd in an inconsistent state, and we should then exploit this inconsistent state contained in the SIGALRM handler,” the researchers wrote in their technical advisory. “From a sensible standpoint, we should discover a strategy to attain this handy code path in sshd and maximize our possibilities of interrupting it on the proper time. From a timing standpoint, we should discover a strategy to additional enhance our possibilities of interrupting this handy code path on the proper time, remotely.”
The researchers demonstrated the exploit in opposition to Linux programs that use the glibc C library and on 32-bit variations as a result of the ASLR is weaker as a result of lowered reminiscence house. Nevertheless, exploitation on 64-bit programs can also be potential however probably tougher.
Towards OpenSSH 9.2p1 from the secure model of Debian Linux i386 the researchers wanted round 10,000 tries to win the race situation and exploit the flaw. This implies between 3-4 hours with 100 concurrent connections and a default LoginGraceTime of 120 seconds. Nevertheless, due to ASLR glibc’s handle can solely be guessed appropriately half of the time, the time for attaining distant code execution with a root shell will increase to between 6-8 hours.