Vulnerabilities > CVE-2000-0525 - Unspecified vulnerability in Openbsd Openssh 1.2/1.2.3/2.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Nessus
NASL family Misc. NASL id OPENSSH_USELOGIN.NASL description According to its banner, the remote host appears to be running OpenSSH version older than 2.1.1. Such versions are reportedly affected by a local privilege esclation vulnerability. If the UseLogin option is enabled, then sshd does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution, login(1) cannot be used and sshd fails to set the correct user id, so the command is run with the same privilege as sshd (usually root privileges). last seen 2020-06-01 modified 2020-06-02 plugin id 10439 published 2000-06-10 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10439 title OpenSSH < 2.1.1 UseLogin Local Privilege Escalation NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure