Vulnerabilities > CVE-2002-0083 - Off-by-one Error vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

critical

nessus

exploit available

NVD

Published: 2002-03-15

Updated: 2024-02-02

Summary

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.

Vulnerable Configurations

Part	Description	Count
OS	Conectiva Conectiva Linux Graficas Conectiva Linux 6.0 Conectiva Linux 5.1 Conectiva Linux Ecommerce Conectiva Linux 7.0 Conectiva Linux 5.0	6
OS	Mandrakesoft Mandrakesoft Mandrake Linux 7.2 Mandrakesoft Mandrake Linux 8.1 Mandrakesoft Mandrake Linux 7.1 Mandrakesoft Mandrake Linux 8.0 Mandrakesoft Mandrake Linux Corporate Server 1.0.1	6
OS	Trustix Trustix Secure Linux 1.1 Trustix Secure Linux 1.5 Trustix Secure Linux 1.2	3
OS	Suse Suse Suse Linux 7.1 Suse Suse Linux 7.3 Suse Suse Linux 7.0 Suse Suse Linux 6.4 Suse Suse Linux 7.2	15
OS	Redhat Redhat Linux 7.0 Redhat Linux 7.2 Redhat Linux 7.1	3
OS	Engardelinux Engardelinux Secure Linux 1.0.1	1
Application	Immunix Immunix Immunix 7.0	1
Application	Openpkg Openpkg Openpkg 1.0	1
Application	Mandrakesoft Mandrakesoft Mandrake Single Network Firewall 7.2	1
Application	Openbsd Openbsd Openssh 2.1 Openbsd Openssh 2.1.0 Openbsd Openssh 2.1.1 Openbsd Openssh 2.2 Openbsd Openssh 2.2.0 Openbsd Openssh 2.3 Openbsd Openssh 2.3.0 Openbsd Openssh 2.3.1 Openbsd Openssh 2.5 Openbsd Openssh 2.5.1 Openbsd Openssh 2.5.2 Openbsd Openssh 2.9 Openbsd Openssh 2.9.9 Openbsd Openssh 2.9.9P2 Openbsd Openssh 2.9P1 Openbsd Openssh 2.9P2 Openbsd Openssh 3.0 Openbsd Openssh 3.0.1 Openbsd Openssh 3.0.1P1 Openbsd Openssh 3.0.2 Openbsd Openssh 3.0.2P1 Openbsd Openssh 3.0P1	47

Common Weakness Enumeration (CWE)

CWE-193 - Off-by-one Error

Exploit-Db

description	OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability. CVE-2002-0083. Remote exploit for unix platform
id	EDB-ID:21314
last seen	2016-02-02
modified	2002-03-07
published	2002-03-07
reporter	Morgan
source	https://www.exploit-db.com/download/21314/
title	OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability

Nessus

NASL family	Gain a shell remotely
NASL id	OPENSSH_CHANNEL.NASL
description	You are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system.
last seen	2020-06-01
modified	2020-06-02
plugin id	10883
published	2002-03-07
reporter	This script is Copyright (c) 2002-2018 Thomas Reinke
source	https://www.tenable.com/plugins/nessus/10883
title	OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation
code	# # This script was written by Thomas reinke <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, formatted output, changed family (8/18/09) include("compat.inc"); if (description) { script_id(10883); script_version("1.25"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2002-0083"); script_bugtraq_id(4241); script_name(english:"OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation"); script_summary(english:"Checks for the remote OpenSSH version"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote host." ); script_set_attribute(attribute:"description", value: "You are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system." ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 3.1 or apply the patch for prior versions. (See: http://www.openssh.org)" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"plugin_publication_date", value: "2002/03/07"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/03/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (c) 2002-2018 Thomas Reinke"); script_family(english:"Gain a shell remotely"); script_dependencie("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (ereg(pattern:"openssh[-_](2\..*\|3\.0)" , string:bp_banner)) security_hole(port);

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-119.NASL
description	Joost Pol reports that OpenSSH versions 2.0 through 3.0.2 have an off-by-one bug in the channel allocation code. This vulnerability can be exploited by authenticated users to gain root privilege or by a malicious server exploiting a client with this bug.
last seen	2018-07-10
modified	2018-07-09
plugin id	14956
published	2004-09-29
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=14956
title	Debian DSA-119-1 : ssh -- local root exploit, remote client exploit

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2002-019.NASL
description	Joost Pol found a bug in the channel code of all versions of OpenSSH from 2.0 to 3.0.2. This bug can allow authenticated users with an existing account on the vulnerable system to obtain root privilege or by a malicious server attacking a vulnerable client. OpenSSH 3.1 is not vulnerable to this problem. The provided packages fix this vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	13927
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13927
title	Mandrake Linux Security Advisory : openssh (MDKSA-2002:019)

NASL family	Misc.
NASL id	SUNSSH_PLAINTEXT_RECOVERY.NASL
description	The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
last seen	2020-06-01
modified	2020-06-02
plugin id	55992
published	2011-08-29
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55992
title	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure

NASL family	Misc.
NASL id	OPENSSH_301.NASL
description	According to its banner, the remote host appears to be running OpenSSH version 3.0.1 or older. Such versions are reportedly affected by multiple flaws : - Provided KerberosV is enabled (disabled by default), it may be possible for an attacker to partially authenticate. - It may be possible to crash the daemon due to a excessive memory clearing bug.
last seen	2020-06-01
modified	2020-06-02
plugin id	10802
published	2001-11-20
reporter	This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10802
title	OpenSSH < 3.0.1 Multiple Flaws

Redhat

advisories

rhsa

id	RHSA-2002:043

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.