Qualys found a way to get around the protection of malloc and double-free for protection
Initiation of code management transfer, using vulnerability to Openssh 9.1, the risk of creating a working exploit for which was determined as unlikely. At the same time, the possibility of creating a working exploit is still under a big question.
Vulnerability is caused by double release of the memory area at the stage before authentication. To create the conditions for the manifestation of vulnerability, it is enough to change the SSH-client banner to “SSH-2.0-FUTTYSH_9.1P1” (or other old SSH-client) in order to achieve flags “SSH_BUG_CURVE25519PAD” and “SSH_LD_DHGEX”. After setting these flags, memory under the buffer “Options.kex_algorithms” is released twice.
CALIS researchers during manipulations with vulnerability were able to achieve control over the processor registry “%RIP” containing a pointer for the following instructions for execution. The developed operating technique allows you to transfer to any point of the address space of the SSHD process in the unnecessary environment of OpenBSD 7.2, which is supplied by default from the OpenSSH 9.1.
It is noted that the proposed prototype is the implementation of only the first stage of the attack – to create a working exploit, it is necessary to bypass the mechanisms of protection of ASLR, NX and ROP, and exit from Sandbox insulation, which is unlikely. To solve the problem of bypassing ASLR, NX and ROP, it is required to obtain information about addresses, which can be achieved by identifying another vulnerability that leads to the information leak. An error in a privileged parental process or nucleus can help to exit Sandbox.