Vulnerabilities > CVE-2002-0083 - Off-by-one Error vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH network
low complexity
conectiva
immunix
openpkg
mandrakesoft
openbsd
trustix
suse
redhat
engardelinux
CWE-193
critical
nessus
exploit available
Summary
Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 6 | |
OS | 6 | |
OS | 3 | |
OS | 15 | |
OS | 3 | |
OS | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | Openbsd
| 47 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability. CVE-2002-0083. Remote exploit for unix platform |
id | EDB-ID:21314 |
last seen | 2016-02-02 |
modified | 2002-03-07 |
published | 2002-03-07 |
reporter | Morgan |
source | https://www.exploit-db.com/download/21314/ |
title | OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability |
Nessus
NASL family Gain a shell remotely NASL id OPENSSH_CHANNEL.NASL description You are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system. last seen 2020-06-01 modified 2020-06-02 plugin id 10883 published 2002-03-07 reporter This script is Copyright (c) 2002-2018 Thomas Reinke source https://www.tenable.com/plugins/nessus/10883 title OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation code # # This script was written by Thomas reinke <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, formatted output, changed family (8/18/09) include("compat.inc"); if (description) { script_id(10883); script_version("1.25"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2002-0083"); script_bugtraq_id(4241); script_name(english:"OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation"); script_summary(english:"Checks for the remote OpenSSH version"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote host." ); script_set_attribute(attribute:"description", value: "You are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system." ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 3.1 or apply the patch for prior versions. (See: http://www.openssh.org)" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"plugin_publication_date", value: "2002/03/07"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/03/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (c) 2002-2018 Thomas Reinke"); script_family(english:"Gain a shell remotely"); script_dependencie("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (ereg(pattern:"openssh[-_](2\..*|3\.0)" , string:bp_banner)) security_hole(port);
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-119.NASL description Joost Pol reports that OpenSSH versions 2.0 through 3.0.2 have an off-by-one bug in the channel allocation code. This vulnerability can be exploited by authenticated users to gain root privilege or by a malicious server exploiting a client with this bug. last seen 2018-07-10 modified 2018-07-09 plugin id 14956 published 2004-09-29 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=14956 title Debian DSA-119-1 : ssh -- local root exploit, remote client exploit NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-019.NASL description Joost Pol found a bug in the channel code of all versions of OpenSSH from 2.0 to 3.0.2. This bug can allow authenticated users with an existing account on the vulnerable system to obtain root privilege or by a malicious server attacking a vulnerable client. OpenSSH 3.1 is not vulnerable to this problem. The provided packages fix this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 13927 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13927 title Mandrake Linux Security Advisory : openssh (MDKSA-2002:019) NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure NASL family Misc. NASL id OPENSSH_301.NASL description According to its banner, the remote host appears to be running OpenSSH version 3.0.1 or older. Such versions are reportedly affected by multiple flaws : - Provided KerberosV is enabled (disabled by default), it may be possible for an attacker to partially authenticate. - It may be possible to crash the daemon due to a excessive memory clearing bug. last seen 2020-06-01 modified 2020-06-02 plugin id 10802 published 2001-11-20 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10802 title OpenSSH < 3.0.1 Multiple Flaws
Redhat
advisories |
|
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc
- ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
- ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/CSSA-2002-SCO.10.txt
- ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
- ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.11/CSSA-2002-SCO.11.txt
- http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html
- http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html
- http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0060.html
- http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0060.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000467
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000467
- http://marc.info/?l=bugtraq&m=101552065005254&w=2
- http://marc.info/?l=bugtraq&m=101552065005254&w=2
- http://marc.info/?l=bugtraq&m=101553908201861&w=2
- http://marc.info/?l=bugtraq&m=101553908201861&w=2
- http://marc.info/?l=bugtraq&m=101561384821761&w=2
- http://marc.info/?l=bugtraq&m=101561384821761&w=2
- http://marc.info/?l=bugtraq&m=101586991827622&w=2
- http://marc.info/?l=bugtraq&m=101586991827622&w=2
- http://online.securityfocus.com/advisories/3960
- http://online.securityfocus.com/advisories/3960
- http://online.securityfocus.com/archive/1/264657
- http://online.securityfocus.com/archive/1/264657
- http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt
- http://www.calderasystems.com/support/security/advisories/CSSA-2002-012.0.txt
- http://www.debian.org/security/2002/dsa-119
- http://www.debian.org/security/2002/dsa-119
- http://www.iss.net/security_center/static/8383.php
- http://www.iss.net/security_center/static/8383.php
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-019.php
- http://www.linuxsecurity.com/advisories/other_advisory-1937.html
- http://www.linuxsecurity.com/advisories/other_advisory-1937.html
- http://www.novell.com/linux/security/advisories/2002_009_openssh_txt.html
- http://www.novell.com/linux/security/advisories/2002_009_openssh_txt.html
- http://www.openbsd.org/advisories/ssh_channelalloc.txt
- http://www.openbsd.org/advisories/ssh_channelalloc.txt
- http://www.osvdb.org/730
- http://www.osvdb.org/730
- http://www.redhat.com/support/errata/RHSA-2002-043.html
- http://www.redhat.com/support/errata/RHSA-2002-043.html
- http://www.securityfocus.com/bid/4241
- http://www.securityfocus.com/bid/4241