new SSH exploit is absolutely wild 

no it wouldnt

Bro can you please tell me how much time it takes to learn assembly language from which you can write your own script exploits and malwares and ransomwares. And which are the best high level languages which are used to write a malware or ransomwares

no it wouldnt

​@@PrinceKumar-yo9lr It really depends on what you're exploiting. If it's a local vulnerability (one through the operating system) then you'll need to have full control over the arguments you pass to the operating system's APIs. This is best done with a low level language such as C, C++, Zig, or even Rust. If you need *really* fine control, you can use Assembly, but it's not common. However, must vulnerabilities are rooted in networking. These can be made in any language that has networking capabilities. Rust is my pick, just because of how easy it is to throw some bytes through a socket. POSIX's C sockets take a bit more work to set up than a higher-level TCP stream, but it's way better than Winsock from what I've seen. However, this all assumes you have a vulnerability to exploit. Vulnerabilities are often patched as soon as they pop up. Something way cooler than just malicious stuff is "fun" malware, which was away more prevalent back then. It didn't usually do anything super serious, but it would take control of the system and show you something really cool looking. There are some Windows 10 programs that do this with WinGDI (see MEMZ and Chloroform). You could learn to do the same, since it looks really cool. You don't need to exploit anything to make something really cool, just look at Furnace.

@@PrinceKumar-yo9lr 2 minutes and 34 seconds 👍

Too holy to get hacked 🙏

Not a coincidence.

kowinkydink?

it's GOD'S work my dude

Thats why god uses it

no cap

I still don't get why people open the SSH port when they can use wireguard since if the device is compromised all bets are off anyway

​@@AkivaB Guess it's difficult to maintain the wireguard configuration for all your devices, especially for multiple users - personally I like to use an open source mesh VPN like Tailscale or ZeroTier.

the door is wide open

😂

Breakers are one or several steps ahead of builders.

Agreed. People doing this kind of work are fascinating and awesome

There has to be an invisible hand from the intelligence community to plant some of these. I'm not saying that programmers never make mistakes that allow sploits, but those are probably the exception, not the rule.

@@brainites by definition, or they wouldn't be breakers. Sometimes builders can be ahead, as is the case with attempts at quantum computer proof crypto that is being worked on before quantum supremacy is reached.

Yeah, my mind jumped to the 90s as well

@@mephistovonfaust20 years ago is, and forever shall be, the 80s.

you're old

@@prototypeinheritance515 respect your elders, boyo. ;)

LOL exactly! :-) For me is 10-15 years ago in the 1980s and last year is about 2001. :-)

Nothing worse than when a RU-vidr bangs you, that’s for sure

Agreed 👏

I wish a RU-vidr bangs me too someday

@@_Salaar_khan 😂😂😂

just was about to comment that "everyone"-line. I doubt my mom could time the attack right.. she always forgets to compensate for latency...

Nor if there's a connection limit via firewall. Even with the biggest botnet it would take forever.

They patched it already?

@@johndank2209 It was probably patched before the paper and the CVE were announced. Package maintainers get early access to security fixes so they have ample time to prepare their backports. A backport is a fixed version with security patches applied retroactively. It's how most distros work. Since many packages are binaries, they can even advance patch most systems before the actual source code changes becomes available from the OG repository. It depends on the severity of the vulnerability, but package-managed systems can actually be fully patched up to a week before the CVE drops.

@@johndank2209 it was revealed as the patch is out

Yeah Ubuntu already patched it up on July 1st openssh 1:9.6p1-3ubuntu13.3 CVE-2024-6387 Edit: From the bug report itself 2024-05-19: We contacted OpenSSH's developers. Successive iterations of patches and patch reviews followed. 2024-06-20: We contacted the distros@openwall. 2024-07-01: Coordinated Release Date.

@@johndank2209 it was an accidental regression, should be super easy to patch. Just revert the code that was never supposed to be there anyway

there is no such thing as "safe"

ssssssshhhhhh

@@ACium. sshhhh, its "safer", not "safe"

Hahaha I see what you did here!

Don't google sssh 🤣Straight to PH

Throw in interrupts like SigAlarm and you got a nightmare.

@99temporal I see what you did there

2B OR ≠2B

You can get nailed on the first try if you're unlucky, or the timing might never work for an attacker. Even 64 bit systems could get catastrophically unlucky. At least it's an easy fix this time.

fail2ban is certainly a useful tool, but I can think of way to potentially dodge it, depending on how it's coded. Like most software, let's assume that it's been written with the assumptions of the IPv4 address space in mind. That is to say, a user is likely to have access to a handful of IP addresses, and can't easily get hold of more unless they are a large company or state actor. However, that's not true for IPv6, where essentially everyone gets access to a 64-bit block as normal practise. So if fail2ban isn't coded to take this into account, and is only banning singular IP addresses, then it's trivial to bypass with IPv6...you just change IP address on every operation. To counter this, fail2ban needs to be IPv6 aware, and ban the whole 64-bit block if just one address in it trips its alarms.

@@parad0xheart There are ways to make it detect and block IP ranges, in both ipv4 and ipv6. It just depends on whether the admin actually bothered.

​@@parad0xheartI'm not sure about fail2ban specifically, but it's standard to block the whole /64 range for IPv6. Each customer / network is supposed to get its own /64, so it makes sense to block the entire range.

@@parad0xheart or you just disable IPv6 for SSH, by setting the protocol to "inet" in ssh config.

Is that the recommended method? I also always thought It would be risky to use an ssh server outside my home network. But don't know what to do instead. What if there is a coffee shop with the same provider and open wifi nearby. Wouldn't they also have the same IP? Of course it would still be a lot harder to hack the server than.

@@leokappler2282 , your ISP typically assigns an unique but non-permanent address for each location. so your server would see different ip address at your coffee shop vs your home address unless you tunnel through your home address.

the regression has been fixed anyway already even my old ubuntu lts jammy pi home server already got a patch for it

Like OpenSSH is not present on Windows also...

Be sure to update your fail2ban sshd filter after installing openssh 9.8 ;)

This is also more exploitable as the paper mentioned on 32-bit CPUs... which in 2024, who is seriously even using 32-bit for anything, let alone a server on the Internet for anything productive? So, this is essentially a very minor issue in my eyes and shouldn't affect that many people or servers.

...i have heard whispers & jokes of "Linux" & "packet sniffing": But they're so busy laughing that I cannot understand what they're saying... Can you comment on this at all ?

That's exactly what the paper points out. (10:58)

OH LAWD! HE COMIN!

Is Rust also Thread Safe?!

@@gavabundo_0072that’s like half the whole point

@@gavabundo_0072 This vulnerability is about signal safety - that is a whole other level of safety that Rust does not provide. When the signal handler is invoked in this exploit, the heap is corrupt. If you do anything with the heap at that point, you are bound to have something exploitable and a signal handler is Rust CAN interact with the heap.

we gonna be ruSHing

Which could easily be a bigger problem than a vulnerability with no known exploit.

welcome to the world of C and C++

@@cherubin7th Been there since 2002, but thanks.

It is not by mistake. GNU is compromised and so is glibc. Keep in mind it is called "exploit" or "bug" when you cannot prove malicious intent. When intent is proven it is suddenly a backdoor. But how easy do you think it is to prove intent when code obfuscation is done and the project is bloated? GNU ls is over 2000 LoC, while FreeBSD ls is around 1200, and openBSD ls is around 600 LoC. Where would an obfuscated backdoor be easier to hide?

@@Mario1vsSonic1 It's not a hard sell, frankly. I doubt anyone seriously doubts the will that exists to have control over... _everything._

@@ForcefighterX2 +10000000

great point! 🤣

Think of a giraffe. Wild? Wild. Scary? Not so much.

This is how we all live now

@@szelest88 Yeah, what they pulled off is insane and I now have much more respect for that company. I may actually attend their next webcast.

@@szelest88 *a wild exploit has appeared* 😆

The Queen is still alive though? 🤔 I'll be embarrassed if I check the news and see that Camilla has died...

@@MenaceInc The Queen that actually mattered, not the current one

@@mochafennec Victoria? Zenobia? Cleopatra? Freddie Mercury?

unfortunately imo the only other way is IP address whitelisting. it's not pretty but it significantly reduces the attack surface

@@LowLevelLearning I can agree with you on that. Sometimes that presents a practicality problem, but it does significantly improve the posture when possible. And then in the case of this particular bug, something like fail2ban would probably go a long way in mitigation (though not closing off the bug entirely), given the large number of tries required. Thanks as always for the great content!

@@NigelVH One low-tech way to reduce risk is to require a port knock or similar. It's primitive, but still sufficient to stop most attacks.

Run SSH on a non-standard port, use fail2ban, or limit what IP blocks you allow to access (if you're in the US, do you need to allow access from other continents?). For big organizations that have their own IPv4 blocks they got from a RIR it's super easy, you just only allow from your own IP blocks and reject everything else

I think he was referring to don't connect it to the internet while using the vulnerable version, not don't use SSH for its intended purpose ever. If that's what he did mean, then there's a couple of things you can do like whitelisting only specific IPs, or port knocking, but these only reduce the attack surface not make it safe. IMO its worth the risk if you take proper cautions like, IP address whitelisting, but not using a tool just because there's a possibility it could be vulnerable is dumb.

@@callumbirks I have written unbreakable code observe int main() { return 0; }

You need a pretty stable connection for race conditions. So, working on thousands of targets would be extremely expensive.

@@somebodystealsmyname Establishing SSH connections costs very little bandwidth. Depending on the exact timing, AWS may not be enough. But a small host with good connectivity to your target ranges, which can be established with a BGP looking glass, and many of these have very limited to no KYC -- those are great for these attacks

already covered in the video. OpenSSH throttles new connections to... 100 in a second? which is why it takes 3-4 hours based on how quickly it allows connections to come in.

frfr just setup my vps yesterday for a minecraft ds-lite nat proxy tunnel and well haha sudo apt update sudo reboot

Same! I learnt more about `ssh` and `tmux` JUST YESTERDAY and now I get to watch this! ... Thank you, Ed. At least I know how to keep my `ssh` connections more secure _nauw!..._

Kind of. It does jail, but only short term from what I’ve seen. And even then it needs to be tuned since it can miss things. It’s possible for someone to attack all day up to the 60’s and not get stopped. I’m sure someone has better info on the subject but that’s what I’ve seen.

Yuffie mentioned.

I believe this is known as "port knocking".

This is just security through obscurity.

The 10000 tries the researchers got were under lab conditions. So it will mostlikely be longer in real world conditions.

Think the research group the lowest latency they were attempting at was 10ms or something crazy low like that.

You're connected via VPN and only from that internal virtual IP adress you can access the ssh (because you share the same vlan). So you can close ssh on the servers firewall. And only allow certs no passwords.

@@DeveloperChris well is a vpn technically the internet? 😂

Yes. You can screw up with signals in Rust, but you kind of have to try.

I don’t think so. A signal handler in Rust can interact with the heap which will expose you to similar issues. At the time the signal handler is invoked, the heap is in a corrupt state. There is surely a way to exploit that, even if it isn’t exactly the same bug.

@@deanjohnson8233 signals would typically be handed by Tokio or some other crate like signal_hook. These would avoid mistakes like interacting with the heap inside a signal handler. Rolling your signal handling in Rust would count as trying to be insecure to me.

​​@@deanjohnson8233Hol' up. The paper mentions "if any one of these 24 free() calls is interrupted..." and "hence free(), which is not async-signal-safe". Generally in rust, whether you're in async or sync code, the compiler makes sure all the memory is deallocated once an item goes out of scope. This stands true even if the thread panics. On top of that, you also have the type system that prevents you from using and sending non async-safe types (including functions) across multiple threads. I'm pretty sure there are still ways to screw up, but rust would make it very hard to do in the first place.

@@SanguinariusUmbra yeah but the lower levels arent made in rust. So rust is dead in the water.

I believe the code is present in their certificate or some other part of the SSH connection request. They time sending some portion of their request so that it is present in the heap with the signal handler is invoked. The signal handler then ends up executing what they had inserted in to the heap. The signal handler is one written by OpenSSH to deal with connection timeouts. The signal handler ends up interacting with the heap though, which is attacker controlled and leads to the exploit.