-
Notifications
You must be signed in to change notification settings - Fork 0
/
remediate_regression_exploit.sh
187 lines (150 loc) · 5.24 KB
/
remediate_regression_exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#!/bin/bash
USAGE="
#===========================================================#
| ___ _ ____ |
| / _ \ ___| |__ ___ _ __ _ __ ___| _ \ _ __ ___ |
| | | | / __| '_ \ / _ \| '__| '_ \ / _ \ |_) | '__/ _ \ |
| | |_| \__ \ |_) | (_) | | | | | | __/ __/| | | (_) | |
| \___/|___/_.__/ \___/|_| |_| |_|\___|_| |_| \___/ |
#-----------------------------------------------------------#
| If you can't beat 'em, tech 'em! | https://osbornepro.com |
#===========================================================#
SYNTAX:
$0 [-h]
DESCRIPTION:
This script is used to check for and install OpenSSH v9.8p1 if vulnerable to CVE-2024-6387 RegreSSHion exploit
REFERENCE:
https://www.qualys.com/regresshion-cve-2024-6387/
REQUIREMENTS:
1.) Internet access
CONTACT INFORMATION
Author: Robert H. Osborne (OsbornePro)
Contact: rosborne@osbornepro.com
Website: https://osbornepro.com
USAGE:
$0 [-h]
OPTIONS:
-h : Displays the help information for the command.
EXAMPLES:
$0 -h
# This example returns the help information on how to use this command
"
OSID=$(grep ID_LIKE /etc/os-release | cut -d"=" -f 2)
# Function to allow ctrl + c stoppage
function allow_ctrlc {
# Allow Ctrl+C to stop execution
trap '
trap - INT # restore default INT handler
kill -s INT "$$"
' INT
} # End function allow_ctrlc
# Function to print help info
function print_usage {
printf "$USAGE\n" >&2
exit 3
} # End function print_usage
# Function to check SSH version
check_ssh_version() {
ssh_version_output=$(ssh -V 2>&1)
echo "$ssh_version_output"
} # End function check_ssh_version
# Function to parse SSH version
parse_ssh_version() {
ssh_version_output=$1
ssh_version=$(echo "$ssh_version_output" | awk '{print $1}' | awk -F'[_ ]' '{print $2}')
echo "$ssh_version"
} # End function parse_ssh_version
# Function to determine vulnerability status
is_vulnerable() {
ssh_version=$1
# Compare versions using sort -V
if [[ $(printf '%s\n' "$ssh_version" "4.4p1" | sort -V | head -n1) == "$ssh_version" ]] || \
([[ $(printf '%s\n' "$ssh_version" "8.5p1" | sort -V | head -n1) != "$ssh_version" ]] && \
[[ $(printf '%s\n' "$ssh_version" "9.8p1" | sort -V | head -n1) == "$ssh_version" ]]); then
echo "true"
else
echo "false"
fi
} # End function is_vulnerable
# Install dependencies based on the OS
install_dependencies() {
if [[ "$OSID" == '"debian"' ]]; then
apt-get update
apt-get install -y build-essential zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev pkg-config wget curl
elif [[ "$OSID" == '"fedora"' ]]; then
yum install -y gcc make zlib-devel openssl-devel pam-devel libselinux-devel pkgconfig wget curl
fi
} # End function install_dependencies
# Compile and install OpenSSH v9.8p1
compile_openssh() {
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz -P /tmp/
tar -xzf /tmp/openssh-9.8p1.tar.gz -C /tmp/
cd /tmp/openssh-9.8p1
echo "[-] Compiling new ssh binary"
./configure > /dev/null 2>&1
make > /dev/null 2>&1
} # End function compile_openssh
# Clean up OpenSSH source code and tarball
cleanup() {
rm -rf -- /tmp/openssh-9.8p1 /tmp/openssh-9.8p1.tar.gz
} # End function cleanup
# Restart SSH service
restart_ssh_service() {
if [[ "$OSID" == '"debian"' ]]; then
systemctl restart ssh || systemctl restart sshd
elif [[ "$OSID" == '"fedora"' ]]; then
systemctl restart sshd
fi
} # End function restart_ssh_service
# Function to rename all ssh binaries
rename_ssh_binaries() {
find / -type f -name ssh -exec mv {} {}.old \; -exec echo {}.old \; 2>/dev/null
} # End function rename_ssh_binaries
# Function to move new ssh binary to all locations
move_new_ssh_binary() {
local ssh_paths=("$@")
for old_path in "${ssh_paths[@]}"; do
new_path="${old_path%.old}"
cp /tmp/openssh-9.8p1/ssh.old "$new_path"
done
} # End function move_new_ssh_binary
# Ensure the script is run as root
if [[ $EUID -ne 0 ]]; then
echo "[-] This script must be run as root" 1>&2
exit 1
fi
# Main script
allow_ctrlc
while [ ! -z "$1" ]; do
case "$1" in
-h)
shift
print_usage
exit 1
;;
esac
shift
done
ssh_version_output=$(check_ssh_version)
echo "[-] Current Version: $ssh_version_output"
ssh_version=$(parse_ssh_version "$ssh_version_output")
if [ -n "$ssh_version" ]; then
vulnerable=$(is_vulnerable "$ssh_version")
if [ "$vulnerable" == "true" ]; then
echo "[!] SSH version $ssh_version is vulnerable to the RegreSSHion exploit. Remediating issue."
install_dependencies
compile_openssh
# Rename all ssh binaries and save their paths
ssh_paths=($(rename_ssh_binaries))
move_new_ssh_binary "${ssh_paths[@]}"
cleanup
restart_ssh_service
new_ssh_version=$(check_ssh_version)
echo "[-] New SSH Version: $new_ssh_version"
else
echo "[-] SSH version $ssh_version is not vulnerable to RegreSSHion exploit :-)"
fi
else
echo "[x] Failed to determine SSH version."
exit 1
fi