OpenSSH漏洞预警:无需用户交互,可提权至 root
https://mp.weixin.qq.com/s/c_gATfwcjyXVGj0g6xXIBg
OpenSSH远程代码执行漏洞分析及POC(CVE-2024-6387)
https://mp.weixin.qq.com/s/79P1zpb36D0ku-gwwXfPtQ
OenSSH官方只提供源码包,我们考虑自己将源码编译为rpm包来升级环境的OpenSSH。
当然编译过程也尽量简单化,这里我们直接使用开源的脚本进行编译。
https://github.com/boypt/openssh-rpms
# yum -y install epel-release
# yum -y install git zip unzip
# yum -y groupinstall "Development Tools"
# yum -y install imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel
# git clone https://github.com/boypt/openssh-rpms.git
#百度网盘下载链接: https://pan.baidu.com/s/1gS0ltu3YNmgPIAMHxc0xiw?pwd=sgpa
# cd openssh-rpms-main
# ll
总用量 32
drwxr-xr-x 7 root root 72 8月 23 15:16 amzn1
drwxr-xr-x 7 root root 72 8月 23 15:16 amzn2
drwxr-xr-x 7 root root 72 8月 23 15:16 amzn2023
-rwxr-xr-x 1 root root 4044 8月 23 15:24 compile.sh
drwxr-xr-x 2 root root 149 8月 23 15:16 docker
-rw-r--r-- 1 root root 11802 8月 23 15:16 docker.README.md
drwxr-xr-x 2 root root 114 8月 23 15:28 downloads
drwxr-xr-x 7 root root 72 8月 23 15:16 el5
drwxr-xr-x 7 root root 72 8月 23 15:16 el6
drwxr-xr-x 8 root root 89 8月 23 15:44 el7
-rwxr-xr-x 1 root root 1874 8月 23 15:26 pullsrc.sh
-rw-r--r-- 1 root root 4394 8月 23 15:16 README.md
-rw-r--r-- 1 root root 336 8月 23 15:16 version.env
将出现 source version.env 的行,改为 source ./version.env
# grep "version.env" *.sh
compile.sh:source ./version.env
pullsrc.sh:source ./version.env
vim compile.sh
第70行
source version.env
改为
source ./version.env
并保存退出。
vim pullsrc.sh
第23行
source version.env
改为
source ./version.env
并保存退出。
将出现 wget 的行加上 --no-check-certificate 参数,避免因为证书问题导致源码下载失败。
# grep "wget" pullsrc.sh
wget --no-check-certificate $OPENSSLMIR/$OPENSSLSRC
wget --no-check-certificate $OPENSSHMIR/$OPENSSHSRC
wget --no-check-certificate $ASKPASSMIR/$ASKPASSSRC
image.png
# sh pullsrc.sh
# sh compile.sh
Recommends: openssh-debugsource(x86-64) = 9.8p1-1.an8
检查未打包文件:/usr/lib/rpm/check-files /root/openssh-rpms-main/el7/BUILDROOT/openssh-9.8p1-1.an8.x86_64
已写至:/root/openssh-rpms-main/el7/SRPMS/openssh-9.8p1-1.an8.src.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-9.8p1-1.an8.x86_64.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-clients-9.8p1-1.an8.x86_64.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-server-9.8p1-1.an8.x86_64.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-debugsource-9.8p1-1.an8.x86_64.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-debuginfo-9.8p1-1.an8.x86_64.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-clients-debuginfo-9.8p1-1.an8.x86_64.rpm
已写至:/root/openssh-rpms-main/el7/RPMS/x86_64/openssh-server-debuginfo-9.8p1-1.an8.x86_64.rpm
正在执行(%clean):/bin/sh -e /var/tmp/rpm-tmp.CqEtsN
+ umask 022
+ cd /root/openssh-rpms-main/el7/BUILD
+ cd openssh-9.8p1
+ rm -rf /root/openssh-rpms-main/el7/BUILDROOT/openssh-9.8p1-1.an8.x86_64
+ exit 0
~/openssh-rpms-main
# ll /root/openssh-rpms-main/el7/RPMS/x86_64/
总用量 22512
-rw-r--r-- 1 root root 6674000 8月 23 15:47 openssh-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 6816912 8月 23 15:47 openssh-clients-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1987868 8月 23 15:47 openssh-clients-debuginfo-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1522876 8月 23 15:47 openssh-debuginfo-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 853532 8月 23 15:47 openssh-debugsource-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 3616880 8月 23 15:47 openssh-server-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1561984 8月 23 15:47 openssh-server-debuginfo-9.8p1-1.an8.x86_64.rpm
# yum -y localinstall /root/openssh-rpms-main/el7/RPMS/x86_64/*.rpm
# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
# systemctl status sshd
● sshd.service - OpenSSH 9 server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-08-23 16:47:26 CST; 16s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 83903 (sshd)
Tasks: 1 (limit: 50648)
Memory: 756.0K
CGroup: /system.slice/sshd.service
└─83903 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
8月 23 16:47:26 anolis8 systemd[1]: Started OpenSSH 9 server daemon.
8月 23 16:47:26 anolis8 sshd[83903]: Server listening on 0.0.0.0 port 22.
8月 23 16:47:26 anolis8 sshd[83903]: Server listening on :: port 22.
# chmod 400 /etc/ssh/*key
# systemctl restart sshd.service
# systemctl status sshd.service
● sshd.service - OpenSSH 9 server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-08-23 16:47:26 CST; 1min 23s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 83903 (sshd)
Tasks: 1 (limit: 50648)
Memory: 756.0K
CGroup: /system.slice/sshd.service
└─83903 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
8月 23 16:47:26 anolis8 systemd[1]: Started OpenSSH 9 server daemon.
8月 23 16:47:26 anolis8 sshd[83903]: Server listening on 0.0.0.0 port 22.
8月 23 16:47:26 anolis8 sshd[83903]: Server listening on :: port 22.
<meta charset="utf-8">
OpenSSH 从 7.0 后开始对于version 1.x 就不支持了,相应的RSA1算法也不再支持了
编译OpenSSH 源码的时候也不会在/etc/ssh目录下面生成ssh_host_key/ssh_host_key.pub
http://www.openssh.com/txt/release-6.9
将 /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub 行注释掉
# sed -i '/ssh_host_dsa_key.pub/s/^/#/' /etc/init.d/sshd
# systemctl daemon-reload
# systemctl restart sshd
# systemctl status sshd
● sshd.service - OpenSSH 9 server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-08-23 17:04:41 CST; 21s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 84066 (sshd)
Tasks: 1 (limit: 50648)
Memory: 716.0K
CGroup: /system.slice/sshd.service
└─84066 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
8月 23 17:04:41 anolis8 systemd[1]: Started OpenSSH 9 server daemon.
8月 23 17:04:41 anolis8 sshd[84066]: Server listening on 0.0.0.0 port 22.
8月 23 17:04:41 anolis8 sshd[84066]: Server listening on :: port 22.
8月 23 17:04:48 anolis8 sshd-session[84067]: Accepted password for root from 172.16.17.128 port 52337 ssh2
8月 23 17:04:48 anolis8 sshd-session[84067]: pam_unix(sshd:session): session opened for user root by (uid=0)
# ssh -V
OpenSSH_9.8p1, OpenSSL 1.1.1w 11 Sep 2023
# sshd -V
OpenSSH_9.8p1, OpenSSL 1.1.1w 11 Sep 2023
# rpm -qa | grep openssh
openssh-clients-9.8p1-1.el8.x86_64
openssh-9.8p1-1.el8.x86_64
openssh-server-9.8p1-1.el8.x86_64
#cd
# mkdir install_openssh-9.8p1
# cd install_openssh-9.8p1
# cp /root/openssh-rpms-main/el7/BUILD/openssh-9.8p1/contrib/ssh-copy-id ./
# cp /root/openssh-rpms-main/el7/RPMS/x86_64/* ./
# ll
总用量 22528
-rw-r--r-- 1 root root 6674000 8月 23 17:19 openssh-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 6816912 8月 23 17:19 openssh-clients-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1987868 8月 23 17:19 openssh-clients-debuginfo-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1522876 8月 23 17:19 openssh-debuginfo-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 853532 8月 23 17:19 openssh-debugsource-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 3616880 8月 23 17:19 openssh-server-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1561984 8月 23 17:19 openssh-server-debuginfo-9.8p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 13078 8月 23 17:19 ssh-copy-id
cat install_openssh-9.8p1.sh
#!/bin/bash
if ! yum -y localinstall *.rpm ; then
echo "OpenSSH rpm 安装失败!"
exit 1
fi
chmod 400 /etc/ssh/ssh_host_*_key
cp ssh-copy-id /usr/bin/
chmod 755 /usr/bin/ssh-copy-id
sed -i '/ssh_host_dsa_key.pub/s/^/#/' /etc/init.d/sshd
systemctl daemon-reload
systemctl restart sshd
systemctl enable sshd
systemctl status sshd
rpm -qa | grep openssh
ssh -V
网友评论