Vulnerabilities > CVE-2002-0639 - Integer Overflow or Wraparound vulnerability in Openbsd Openssh

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
openbsd
CWE-190
critical
nessus

Summary

Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-040.NASL
    descriptionAn input validation error exists in the OpenSSH server between versions 2.3.1 and 3.3 that can result in an integer overflow and privilege escalation. This error is found in the PAMAuthenticationViaKbdInt code in versions 2.3.1 to 3.3, and the ChallengeResponseAuthentication code in versions 2.9.9 to 3.3. OpenSSH 3.4 and later are not affected, and OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled; in OpenSSH 3.3 and higher this is the default behaviour of OpenSSH. To protect yourself, users should be using OpenSSH 3.3 with UsePrivilegeSeparation enabled (see MDKSA:2002-040). However, it is highly recommended that all Mandrake Linux users upgrade to version 3.4 which corrects these errors. There are a few caveats with this upgrade, however, that users should be aware of : - On Linux kernel 2.2 (the default for Mandrake Linux 7.x), the use of Compression and UsePrivilegeSeparation are mutually exclusive. You can use one feature or the other, not both; we recommend disabling Compression and using privsep until this can be resolved. - Using privsep may cause some PAM modules which expect to run with root privilege to fail. For instance, users will not be able to change their password if they attempt to log into an account with an expired password. If you absolutely must use one of these features that conflict with privsep, you can disable it in /etc/ssh/sshd_config by using : UsePrivilegeSeparation no However, if you do this, be sure you are running OpenSSH 3.4. Updates to OpenSSH will be made available once these problems are resolved.
    last seen2020-06-01
    modified2020-06-02
    plugin id13944
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13944
    titleMandrake Linux Security Advisory : openssh (MDKSA-2002:040-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:040. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13944);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0639", "CVE-2002-0640");
      script_xref(name:"MDKSA", value:"2002:040-1");
    
      script_name(english:"Mandrake Linux Security Advisory : openssh (MDKSA-2002:040-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An input validation error exists in the OpenSSH server between
    versions 2.3.1 and 3.3 that can result in an integer overflow and
    privilege escalation. This error is found in the
    PAMAuthenticationViaKbdInt code in versions 2.3.1 to 3.3, and the
    ChallengeResponseAuthentication code in versions 2.9.9 to 3.3. OpenSSH
    3.4 and later are not affected, and OpenSSH 3.2 and later prevent
    privilege escalation if UsePrivilegeSeparation is enabled; in OpenSSH
    3.3 and higher this is the default behaviour of OpenSSH.
    
    To protect yourself, users should be using OpenSSH 3.3 with
    UsePrivilegeSeparation enabled (see MDKSA:2002-040). However, it is
    highly recommended that all Mandrake Linux users upgrade to version
    3.4 which corrects these errors.
    
    There are a few caveats with this upgrade, however, that users should
    be aware of :
    
      - On Linux kernel 2.2 (the default for Mandrake Linux
        7.x), the use of Compression and UsePrivilegeSeparation
        are mutually exclusive. You can use one feature or the
        other, not both; we recommend disabling Compression and
        using privsep until this can be resolved.
    
      - Using privsep may cause some PAM modules which expect to
        run with root privilege to fail. For instance, users
        will not be able to change their password if they
        attempt to log into an account with an expired password.
    
    If you absolutely must use one of these features that conflict with
    privsep, you can disable it in /etc/ssh/sshd_config by using :
    
    UsePrivilegeSeparation no
    
    However, if you do this, be sure you are running OpenSSH 3.4. Updates
    to OpenSSH will be made available once these problems are resolved."
      );
      # http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=openssh-unix-dev&m=102495293705094&w=2"
      );
      # http://web.archive.org/web/20030218003736/http://online.securityfocus.com:80/archive/1/280070/2002-06-29/2002-07-05/0
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e2bfc14c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-clients-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-server-3.4p1-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-clients-3.4p1-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-server-3.4p1-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-askpass-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-clients-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-server-3.4p1-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-askpass-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-clients-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-server-3.4p1-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-askpass-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-clients-3.4p1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-server-3.4p1-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(55992);
      script_version("1.17");
      script_cvs_date("Date: 2018/07/31 17:27:54");
    
      script_cve_id(
        "CVE-2000-0525",
        "CVE-2000-1169",
        "CVE-2001-0361",
        "CVE-2001-0529",
        "CVE-2001-0572",
        "CVE-2001-0816",
        "CVE-2001-0872",
        "CVE-2001-1380",
        "CVE-2001-1382",
        "CVE-2001-1459",
        "CVE-2001-1507",
        "CVE-2001-1585",
        "CVE-2002-0083",
        "CVE-2002-0575",
        "CVE-2002-0639",
        "CVE-2002-0640",
        "CVE-2002-0765",
        "CVE-2003-0190",
        "CVE-2003-0386",
        "CVE-2003-0682",
        "CVE-2003-0693",
        "CVE-2003-0695",
        "CVE-2003-0786",
        "CVE-2003-0787",
        "CVE-2003-1562",
        "CVE-2004-0175",
        "CVE-2004-1653",
        "CVE-2004-2069",
        "CVE-2004-2760",
        "CVE-2005-2666",
        "CVE-2005-2797",
        "CVE-2005-2798",
        "CVE-2006-0225",
        "CVE-2006-4924",
        "CVE-2006-4925",
        "CVE-2006-5051",
        "CVE-2006-5052",
        "CVE-2006-5229",
        "CVE-2006-5794",
        "CVE-2007-2243",
        "CVE-2007-2768",
        "CVE-2007-3102",
        "CVE-2007-4752",
        "CVE-2008-1483",
        "CVE-2008-1657",
        "CVE-2008-3259",
        "CVE-2008-4109",
        "CVE-2008-5161"
      );
      script_bugtraq_id(32319);
      script_xref(name:"CERT", value:"958563");
    
      script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
      script_summary(english:"Checks SSH banner");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The SSH service running on the remote host has an information
    disclosure vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of SunSSH running on the remote host has an information
    disclosure vulnerability.  A design flaw in the SSH specification
    could allow a man-in-the-middle attacker to recover up to 32 bits of
    plaintext from an SSH-protected connection in the standard
    configuration.  An attacker could exploit this to gain access to
    sensitive information.
    
    Note that this version of SunSSH is also prone to several additional
    issues but Nessus did not test for them." );
    
      # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
      # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
      script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
      script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
      script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
      script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
      script_set_attribute(attribute:"plugin_type",value:"remote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/" + port);
    
    # Check that we're using SunSSH.
    if ('sun_ssh' >!< tolower(banner))
      exit(0, "The SSH service on port " + port + " is not SunSSH.");
    
    # Check the version in the banner.
    match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
    if (isnull(match))
      exit(1, "Could not parse the version string from the banner on port " + port + ".");
    else
      version = match[1];
    
    # the Oracle (Sun) blog above explains how the versioning works. we could
    # probably explicitly check for each vulnerable version if it came down to it
    if (
      ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
      version == '1.2'
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 1.1.1 / 1.3\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-134.NASL
    descriptionISS X-Force released an advisory about an OpenSSH
    last seen2020-06-01
    modified2020-06-02
    plugin id14971
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14971
    titleDebian DSA-134-4 : ssh - remote exploit
  • NASL familyGain a shell remotely
    NASL idOPENSSH_33.NASL
    descriptionAccording to its banner, the remote host appears to be running OpenSSH version 3.4 or older. Such versions are reportedly affected by multiple flaws. An attacker may exploit these vulnerabilities to gain a shell on the remote system. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server Returns : openssh-server-3.1p1-6
    last seen2020-06-01
    modified2020-06-02
    plugin id11031
    published2002-06-25
    reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11031
    titleOpenSSH < 3.4 Multiple Remote Overflows

Statements

contributorMark J Cox
lastmodified2008-05-15
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 3 or later. This issue did not affect the OpenSSL packages as shipped with Red Hat Enterprise Linux 2.1 as they were not compiled with S/Key or BSD_AUTH support. The upstream patch for this issue and CVE-2002-0640 was included in an errata so that users recompiling OpenSSL with support for those authentication methods would also be protected: https://rhn.redhat.com/errata/RHSA-2002-131.html

References