“From a theoretical point of view, we must find a useful code path that, if interrupted at the right time by SIGALRM, leaves sshd in an inconsistent state, and we must then exploit this inconsistent state inside the SIGALRM handler,” the researchers wrote in their technical advisory. “From a practical point of view, we must find a way to reach this useful code path in sshd and maximize our chances of interrupting it at the right time. From a timing point of view, we must find a way to further increase our chances of interrupting this useful code path at the right time, remotely.”
The researchers demonstrated the exploit against Linux systems that use the glibc C library and on 32-bit versions because the ASLR is weaker due to the reduced memory space. However, exploitation on 64-bit systems is also possible but potentially more difficult.
Against OpenSSH 9.2p1 from the stable version of Debian Linux i386 the researchers needed around 10,000 tries to win the race condition and exploit the flaw. This means between 3-4 hours with 100 concurrent connections and a default LoginGraceTime of 120 seconds. However, because of ASLR glibc’s address can only be guessed correctly half of the time, the time for achieving remote code execution with a root shell increases to between 6-8 hours.