Vulnerabilities > CVE-2001-1141

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
openssl
ssleay
nessus
NVD
Published: 2001-07-10
Updated: 2017-10-10

Summary

The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.

Vulnerable Configurations

Part Description Count
Application
Openssl
7
Application
Ssleay
3

Nessus

  • NASL familyGain a shell remotely
    NASL idOPENSSL_OVERFLOW_GENERIC_TEST.NASL
    descriptionThe remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself.
    last seen2020-03-18
    modified2002-08-05
    plugin id11060
    published2002-08-05
    reporterThis script is Copyright (C) 2002-2018 Solar Eclipse / Renaud Deraison
    sourcehttps://www.tenable.com/plugins/nessus/11060
    titleOpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities
    code
    #TRUSTED 0c735fb6d18b92e7dc463c39c93d50b398065651cd7c0ed318a5d1d34834031824c3a22050ca6e31fbcc01030a07f38ce398a73c4434f40cb325e945345c784571586ec7573bbad8187a83596ed8318eaf6fbe29658c28bbe29b37b708585e162f200a9dc8e3bb88b92c4ed92cc2ba1f3a809c28160e7ce5f02d05b54fe911864cb36397a0a6c7db4ce53e6c12d096326a0b0727e3f007c5b916a75245b03a0c89887f2a18c581d7a4c49d88672878280dc6da584f38fcfb32d39750cece204f7a4cdd4d8e5a18bc563660825d4db1ee613352088fdc75b46c9dade84128772db6b409a5b09ed95b3156e4175c6d66dea8e2f1aa3db4e4c723621cec8449ba4b4869188c9e4687fd548a2c19c20bfc66382490a21d71e882380baf0c6c9b33b4382c5ce2683444bf2988676a4abe4e2865c6782ef082ebcf0ad497a1cc0c9cb35128ba8c71af2eb86b143e720d1e461e6556cd4385e503f30cea015f9d8bbaf86087917e85775f1a89b32e0323aab41988798789ba048a32d1fda6103fee96f4c882cd51ed5020991e252eee40c145fcce7c754df18a8cac345a4b4d20a503ac645e70005c5f48de74f07b68ac07b51bb6d8c05de995db8b389dce0ca9e57291b3e43a0218c94628387c12c67ba32cf4beff50a54372c43eab3040569ff783cba5fbb9ed40b3996e373be2aeec209568a4832fd3fe0d490a0857f942f69a71b9
#
# (C) Tenable Network Security, Inc.
#

# Thanks to Solar Eclipse <[email protected]>, who did most
# of the work.
#
# Will incidentally cover CVE-2001-1141 and CVE-2000-0535
#


include("compat.inc");

if (description)
{
 script_id(11060);
 script_version("1.61");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id(
  "CVE-2000-0535",
  "CVE-2001-1141",
  "CVE-2002-0655",
  "CVE-2002-0656",
  "CVE-2002-0657",
  "CVE-2002-0659"
 );
 script_bugtraq_id(1340, 3004, 5361, 5362, 5363, 5364, 5366);
 script_xref(name:"SuSE", value:"SUSE-SA:2002:033");

 script_name(english:"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities");
 script_summary(english:"Checks for the behavior of OpenSSL");

 script_set_attribute(attribute:"synopsis", value:
"The remote service uses a library that is affected by a buffer
overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote service seems to be using a version of OpenSSL that is
older than 0.9.6e or 0.9.7-beta3.

Such versions are affected by a buffer overflow that may allow an
attacker to execute arbitrary commands on the remote host with the
privileges of the application itself.");
 script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL version 0.9.6e / 0.9.7beta3 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/05");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
 script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
 script_end_attributes();

 script_category(ACT_MIXED_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison");
 script_family(english:"Gain a shell remotely");
 script_dependencies("ssl_supported_versions.nasl");
 script_require_keys("SSL/Supported");

 exit(0);
}

include("byte_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");

if ( safe_checks() && report_paranoia < 2 ) exit(0);

#------------------------------ Consts ----------------------#
client_hello = raw_string(
0x80, 0x31, 0x01, 0x00,
0x02,  0x00, 0x18,0x00,
0x00,  0x00, 0x10,0x07,
0x00, 0xC0, 0x05, 0x00,
0x80, 0x03, 0x00, 0x80,
0x01, 0x00, 0x80, 0x08,
0x00, 0x80, 0x06, 0x00,
0x40, 0x04, 0x00, 0x80,
0x02, 0x00, 0x80, 0xE4,
0xBD, 0x00, 0x00, 0xA4,
0x41, 0xB6, 0x74, 0x71,
0x2B, 0x27, 0x95, 0x44,
0xC0, 0x3D, 0xC0);


poison = raw_string(
0x80,0x5a,0x2,0x7,
0x0,0xc0,0x0,0x0,
0x0,0x40,0x0,0x10,
0x19,0x53,0xf,0x55,
0x5e,0xaa,0x68,0x71,
0x3,0x27,0x4,0x5a,
0x1f,0x5,0xea,0x33,
0x29,0x5b,0xb9,0x3f,
0x7d,0x28,0xe6,0x4c,
0xd4,0xb3,0x8e,0x36,
0x44,0xb5,0x86,0x6c,
0x6c,0x6,0xc1,0x5c,
0x45,0x73,0xb8,0x11,
0x55,0x23,0x3e,0x2a,
0x52,0xe0,0x52,0x30,
0xda,0xf8,0xee,0x15,
0x79,0xe1,0x3c,0x68,
0x36,0xd1,0x14,0x26,
0xae,0xd4,0x30,0x2,
0x0,0x0,0x0,0x0,
0x4,0x0,0x0,0x0,
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41);


big_poison = raw_string(
0x81, 0xca, 0x2, 0x7,
0x0, 0xc0, 0x0, 0x0,
0x0, 0x40, 0x1, 0x80,
0xa4, 0x20, 0xb4, 0x44,
0xd, 0xe, 0x7c, 0x5,
0xc2, 0x21, 0x28, 0x4d,
0xd3, 0xab, 0x6b, 0x72,
0x10, 0xa3, 0x64, 0x7e,
0x9, 0x7e, 0xe8, 0x28,
0xe, 0x98, 0x5a, 0x5,
0x2f, 0x32, 0xbb, 0xa,
0x3c, 0xe0, 0x58, 0x5a,
0xc5, 0xf1, 0x91, 0x36,
0x1a, 0x27, 0x2c, 0x37,
0x4b, 0xc2, 0xd2, 0x49,
0x28, 0xc4, 0xf1, 0x76,
0x41, 0xe5, 0xa4, 0x2d,
0xe6, 0x9a, 0x55, 0x7e,
0x27, 0x38, 0x89, 0x13,
0x0, 0x0, 0x0, 0x0,
0x4, 0x0, 0x0, 0x0,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41);



#-------- The code. We need the check what happens on each port ------------#

moderate_report =
"Note that since safe checks are enabled, this check might be fooled by
non-openssl implementations and produce a false positive.
In doubt, re-execute the scan without the safe checks";

get_kb_item_or_exit("SSL/Supported");

port = get_ssl_ports(fork:TRUE);
if (isnull(port))
  exit(1, "The host does not appear to have any SSL-based services.");

# Find out if the port is open.
if (!get_port_state(port))
  exit(0, "Port " + port + " is not open.");

# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
  exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

send(socket:soc, data:client_hello);
buf = recv(socket:soc, length:8192);
if(!strlen(buf))exit(0);
send(socket:soc, data:poison);
buf = recv(socket:soc, length:10);
close(soc);
if(safe_checks())
{
if(strlen(buf) > 5)security_hole(port:port, extra: moderate_report);
}
else
{
 if(strlen(buf) > 5)
 {
  # Connect to the port, issuing the StartTLS command if necessary.
  soc = open_sock_ssl(port);
  if (!soc)
    exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

  send(socket:soc, data:client_hello);
  buf = recv(socket:soc, length:8192);
  if(!strlen(buf))exit(0);
  n = send(socket:soc, data:big_poison);
  if ( n != strlen(big_poison) ) exit(0);

  buf = recv(socket:soc, length:4096);
  close(soc);
  if(strlen(buf) == 0)security_hole(port);
 }
}
  • NASL familyWeb Servers
    NASL idOPENSSL_0_9_6B.NASL
    descriptionAccording to its banner, the remote web server is running a version of OpenSSL that is earlier than 0.9.6b and allows remote attackers to predict the output of the pseudo-random generator.
    last seen2020-06-01
    modified2020-06-02
    plugin id17745
    published2012-01-04
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17745
    titleOpenSSL < 0.9.6b Predictable Random Generator
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(17745);
  script_version("1.7");
  script_cvs_date("Date: 2018/07/16 14:09:14");

  script_cve_id("CVE-2001-1141");
  script_bugtraq_id(3004);

  script_name(english:"OpenSSL < 0.9.6b Predictable Random Generator");
  script_summary(english:"Does a banner check");

  script_set_attribute(attribute:"synopsis", value:
"The remote server is affected by an SSL-related vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the remote web server is running a version
of OpenSSL that is earlier than 0.9.6b and allows remote attackers to
predict the output of the pseudo-random generator.");
  script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL 0.9.6b or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2001/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("openssl_version.nasl");
  script_require_keys("openssl/port");

  exit(0);
}

include("openssl_version.inc");

openssl_check_version(fixed:'0.9.6b', severity:SECURITY_WARNING);
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2001-065.NASL
    descriptionThe pseudo-random number generator in OpenSSL versions up to 0.9.6a has a design flaw. By knowing the output of specific PRNG requests, an attacker would be able to determine the PRNG
    last seen2020-06-01
    modified2020-06-02
    plugin id13880
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13880
    titleMandrake Linux Security Advisory : openssl (MDKSA-2001:065)

Redhat

advisories
rhsa
idRHSA-2001:051

References