Vulnerabilities > CVE-2001-0553 - Unspecified vulnerability in SSH Secure Shell 3.0.0

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
ssh
nessus
exploit available

Summary

SSH Secure Shell 3.0.0 on Unix systems does not properly perform password authentication to the sshd2 daemon, which allows local users to gain access to accounts with short password fields, such as locked accounts that use "NP" in the password field.

Vulnerable Configurations

Part Description Count
Application
Ssh
1

Exploit-Db

descriptionSSH2 3.0 Short Password Login Vulnerability. CVE-2001-0553. Remote exploit for unix platform
idEDB-ID:21021
last seen2016-02-02
modified2001-07-21
published2001-07-21
reporterhypoclear
sourcehttps://www.exploit-db.com/download/21021/
titleSSH2 3.0 Short Password Login Vulnerability

Nessus

NASL familyMisc.
NASL idSSH3_PASSWD.NASL
descriptionThe remote host is running SSH 3.0.0. There is a bug in this release which allows any user to log into accounts whose password entry is two characters long or less. An attacker might gain root privileges using this flaw.
last seen2020-06-01
modified2020-06-02
plugin id10708
published2001-07-21
reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10708
titleSSH 3.0.0 Locked Account Remote Authentication Bypass
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(10708);;
 script_version ("1.24");
 script_cve_id("CVE-2001-0553");
 script_bugtraq_id(3078);
 
 script_name(english:"SSH 3.0.0 Locked Account Remote Authentication Bypass");
 
 script_set_attribute(attribute:"synopsis", value:
"An attacker might be able to use the remote SSH server
to log into the remote host without proper credentials" );
 script_set_attribute(attribute:"description", value:
"The remote host is running SSH 3.0.0.  There is a bug in this 
release which allows any user to log into accounts whose 
password entry is two characters long or less.

An attacker might gain root privileges using this flaw." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 3.0.1 of SSH which solves this problem." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
	
 script_set_attribute(attribute:"plugin_publication_date", value: "2001/07/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/07/21");
 script_cvs_date("Date: 2018/07/30 15:31:32");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks for the remote SSH version");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
 script_family(english:"Misc.");
 script_dependencie("ssh_detect.nasl");
 script_require_ports("Services/ssh", 22);
 exit(0);
}

#
# The script code starts here
#
include("backport.inc");


port = get_kb_item("Services/ssh");
if(!port)port = 22;

banner = get_kb_item("SSH/banner/" + port );
if ( ! banner ) exit(0);


banner = tolower(get_backport_banner(banner:banner));

if("openssh" >< banner)exit(0);

if("3.0.0" >< banner)security_warning(port);