Qualys found a way to bypass malloc and double-free protection to initiate a handoff to code using a vulnerability in OpenSSH 9.1 that was determined to be unlikely to create a working exploit. At the same time, the possibility of creating a working exploit is still a big question.
The vulnerability is caused by a double freeing of a memory area at the pre-authentication stage. To create conditions for the manifestation of a vulnerability, it is enough to change the banner of the SSH client to "SSH-2.0-FuTTYSH_9.1p1" (or another old SSH client) in order to achieve the setting of the "SSH_BUG_CURVE25519PAD" and "SSH_OLD_DHGEX" flags. After setting these flags, the memory for the "options.kex_algorithms" buffer is freed twice.
Researchers from Qualys, in the course of manipulating the vulnerability, were able to gain control over the processor register β%ripβ, which contains a pointer to the next instruction to be executed. The developed exploitation technique allows transferring control to any point in the address space of the sshd process in an unupdated OpenBSD 7.2 environment, which is shipped by default with OpenSSH 9.1.
It is noted that the proposed prototype is the implementation of only the first stage of the attack - to create a working exploit, it is necessary to bypass the ASLR, NX and ROP protection mechanisms and exit sandbox isolation, which is unlikely. Solving the problem of bypassing ASLR, NX and ROP requires obtaining information about addresses, which can be achieved by identifying another vulnerability that leads to information leakage. An error in a privileged parent process or kernel can help exit the sandbox.
Source: opennet.ru