Vulnerabilities > CVE-2002-0083 - Off-by-one Error vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionOpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability. CVE-2002-0083. Remote exploit for unix platform
idEDB-ID:21314
last seen2016-02-02
modified2002-03-07
published2002-03-07
reporterMorgan
sourcehttps://www.exploit-db.com/download/21314/
titleOpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability

Nessus

  • NASL familyGain a shell remotely
    NASL idOPENSSH_CHANNEL.NASL
    descriptionYou are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system.
    last seen2020-06-01
    modified2020-06-02
    plugin id10883
    published2002-03-07
    reporterThis script is Copyright (c) 2002-2018 Thomas Reinke
    sourcehttps://www.tenable.com/plugins/nessus/10883
    titleOpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation
    code
    #
    # This script was written by Thomas reinke <[email protected]>
    #
    # See the Nessus Scripts License for details
    #
    
    # Changes by Tenable:
    # - Revised plugin title, formatted output, changed family (8/18/09)
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(10883);
      script_version("1.25");
      script_cvs_date("Date: 2018/07/16 14:09:13");
    
      script_cve_id("CVE-2002-0083");
      script_bugtraq_id(4241);
    
      script_name(english:"OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation");
      script_summary(english:"Checks for the remote OpenSSH version");
     
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code may be run on the remote host." );
      script_set_attribute(attribute:"description", value:
    "You are running a version of OpenSSH which is older than 3.1.
    
    Versions prior than 3.1 are vulnerable to an off by one error
    that allows local users to gain root access, and it may be
    possible for remote users to similarly compromise the daemon
    for remote access.
    
    In addition, a vulnerable SSH client may be compromised by
    connecting to a malicious SSH daemon that exploits this
    vulnerability in the client code, thus compromising the
    client system." );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to OpenSSH 3.1 or apply the patch for
    prior versions. (See: http://www.openssh.org)" );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(189);
    	
      script_set_attribute(attribute:"plugin_publication_date", value: "2002/03/07");
      script_set_attribute(attribute:"vuln_publication_date", value: "2002/03/07");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
     
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (c) 2002-2018 Thomas Reinke");
      script_family(english:"Gain a shell remotely");
      script_dependencie("ssh_detect.nasl");
      script_require_ports("Services/ssh", 22);
     
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    if (ereg(pattern:"openssh[-_](2\..*|3\.0)" , string:bp_banner))
      security_hole(port);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-119.NASL
    descriptionJoost Pol reports that OpenSSH versions 2.0 through 3.0.2 have an off-by-one bug in the channel allocation code. This vulnerability can be exploited by authenticated users to gain root privilege or by a malicious server exploiting a client with this bug.
    last seen2018-07-10
    modified2018-07-09
    plugin id14956
    published2004-09-29
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14956
    titleDebian DSA-119-1 : ssh -- local root exploit, remote client exploit
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-019.NASL
    descriptionJoost Pol found a bug in the channel code of all versions of OpenSSH from 2.0 to 3.0.2. This bug can allow authenticated users with an existing account on the vulnerable system to obtain root privilege or by a malicious server attacking a vulnerable client. OpenSSH 3.1 is not vulnerable to this problem. The provided packages fix this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id13927
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13927
    titleMandrake Linux Security Advisory : openssh (MDKSA-2002:019)
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
  • NASL familyMisc.
    NASL idOPENSSH_301.NASL
    descriptionAccording to its banner, the remote host appears to be running OpenSSH version 3.0.1 or older. Such versions are reportedly affected by multiple flaws : - Provided KerberosV is enabled (disabled by default), it may be possible for an attacker to partially authenticate. - It may be possible to crash the daemon due to a excessive memory clearing bug.
    last seen2020-06-01
    modified2020-06-02
    plugin id10802
    published2001-11-20
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10802
    titleOpenSSH < 3.0.1 Multiple Flaws

Redhat

advisories
rhsa
idRHSA-2002:043

References