Vulnerabilities > CVE-2001-0529 - Unspecified vulnerability in Openbsd Openssh
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN openbsd
nessus
Summary
OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack.
Vulnerable Configurations
Nessus
NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");NASL family Misc. NASL id OPENSSH_29P2.NASL description According to the banner, OpenSSH earlier than 2.9.9 / 2.9p2 is running on the remote host. Such versions contain an arbitrary file deletion vulnerability. Due to insecure handling of temporary files, a local attacker can cause sshd to delete any file it can access named last seen 2020-06-01 modified 2020-06-02 plugin id 44071 published 2011-10-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44071 title OpenSSH < 2.9.9 / 2.9p2 Symbolic Link 'cookies' File Removal code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44071); script_version("1.5"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2001-0529"); script_bugtraq_id(2825); script_name(english:"OpenSSH < 2.9.9 / 2.9p2 Symbolic Link 'cookies' File Removal"); script_summary(english:"Checks the version reported in the SSH banner."); script_set_attribute( attribute:"synopsis", value:"Local attackers may be able to delete arbitrary files." ); script_set_attribute( attribute:"description", value: "According to the banner, OpenSSH earlier than 2.9.9 / 2.9p2 is running on the remote host. Such versions contain an arbitrary file deletion vulnerability. Due to insecure handling of temporary files, a local attacker can cause sshd to delete any file it can access named 'cookies'." ); script_set_attribute( attribute:"solution", value:"Upgrade to OpenSSH 2.9.9 / 2.9p2 or later." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-2.9.9"); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-2.9p2"); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/security.html"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/06/04"); script_set_attribute(attribute:"patch_publication_date", value:"2001/09/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:"ssh", exit_on_fail:TRUE); banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+"."); version = match[1]; if (version !~ "^[0-9.]+p[0-9]+") { # Pull out numeric portion of version of the native OpenBSD version. matches = eregmatch(string:version, pattern:"^([0-9.]+)"); if (isnull(matches)) exit(1, "Error parsing version ("+version+") from the SSH service listening on port "+port+"."); fix = "2.9.9"; if (ver_compare(ver:matches[1], fix:fix, strict:FALSE) >= 0) exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+"."); } else { # Pull out numeric portion of version of the portable version. matches = eregmatch(string:version, pattern:"^([0-9.]+)p([0-9]+)"); if (isnull(matches)) exit(1, "Error parsing version ("+version+") from the SSH service listening on port "+port+"."); fix = "2.9p2"; if ( (ver_compare(ver:matches[1], fix:"2.9", strict:FALSE) > 0) || (matches[1] == "2.9" && int(matches[2]) >= 2) ) exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+"."); } if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_note(port:port, extra:report); } else security_note(port);
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-010.txt.asc
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-010.txt.asc
- http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html
- http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html
- http://archives.neohapsis.com/archives/bugtraq/2001-06/0007.html
- http://archives.neohapsis.com/archives/bugtraq/2001-06/0007.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431
- http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-034-01
- http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-034-01
- http://online.securityfocus.com/archive/1/188737
- http://online.securityfocus.com/archive/1/188737
- http://www.calderasystems.com/support/security/advisories/CSSA-2001-023.0.txt
- http://www.calderasystems.com/support/security/advisories/CSSA-2001-023.0.txt
- http://www.kb.cert.org/vuls/id/655259
- http://www.kb.cert.org/vuls/id/655259
- http://www.openbsd.org/errata29.html
- http://www.openbsd.org/errata29.html
- http://www.osvdb.org/1853
- http://www.osvdb.org/1853
- http://www.securityfocus.com/bid/2825
- http://www.securityfocus.com/bid/2825
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6676
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6676