regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems explained

Recently the news of a high severity security risk, shocked the OpenSSH world. Researchers from Qualys Security Advisory showed a remote shell possibility using a double free attach on heap combined with other techniques including unlink & aa4bmo.

In this video I'll try to go a bit deep into this attack and give you leads what to study next if you are interested while describing the technical aspects of this case.

00:00 - CVE-2024-6387 01:23 - Race Condition 04:28 - a look at RegreSSion attack on malloc & free 05:55 - Using Signals & free race condition for attacks 11:00 - How the attack on OpenSSH works 20:10 - aa4bmo attack 22:46 - Why old debian first? No ASLR nor NX 24:29 - Making things faster

• OpenSSH change log: https://www.openssh.com/releasenotes.html
• Qualys Security Advisory: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
• Phrack 0x3d: http://phrack.org/issues/61/6.html#article
• Delivering Signals for Fun and Profit: https://lcamtuf.coredump.cx/signals.txt ... https://www.youtube.com/watch?v=1Me2ZwjB2cQ