|
|
|
|
|
|
by chasil
712 days ago
|
|
|
However, we see the -D option on the listening parent: $ ps ax | grep sshd | head -1
1306 ? Ss 0:01 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
As mentioned elsewhere here, is -D sufficient to avoid exploitation, or is -e necessary as well? $ man sshd | sed -n '/ -[De]/,/^$/p'
-D When this option is specified, sshd will not
detach and does not become a daemon. This
allows easy monitoring of sshd.
-e Write debug logs to standard error instead
of the system log.
RHEL9 is also 64-bit only, and we see from the notice:"we have started to work on an amd64 exploit, which is much harder because of the stronger ASLR." On top of writing the exploit to target 32-bit environments, this also requires a DSA key that implements multiple calls to free(). There is a section on "Rocky Linux 9" near the end of the linked advisory where unsuccessful exploit attempts are discussed. |
|
|
https://github.com/openssh/openssh-portable/blob/V_9_8_P1/ss...
sshd.c handles no_daemon (-D) and log_stderr (-e) independently. log_stderr is what is given to log_init in log.c that gates the call to syslog functions. There is a special case to set log_stderr to true if debug_flag (-d) is set, but nothing for no_daemon.
I can't test it right now though so I may be missing something.