Vulnerabilities > CVE-2002-0656 - Buffer Overflow vulnerability in OpenSSL SSLv3 Session ID

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
openssl
oracle
apple
nessus
exploit available

Summary

Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.

Exploit-Db

  • descriptionOpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability (2). CVE-2002-0656. Remote exploit for unix platform
    idEDB-ID:21672
    last seen2016-02-02
    modified2002-07-30
    published2002-07-30
    reporterspabam
    sourcehttps://www.exploit-db.com/download/21672/
    titleOpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow Vulnerability 2
  • descriptionOpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability (1). CVE-2002-0656. Remote exploit for unix platform
    idEDB-ID:21671
    last seen2016-02-02
    modified2002-07-30
    published2002-07-30
    reporterspabam
    sourcehttps://www.exploit-db.com/download/21671/
    titleOpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow Vulnerability 1
  • descriptionApache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit. CVE-2002-0656. Remote exploit for Unix platform
    idEDB-ID:40347
    last seen2016-09-08
    modified2002-09-17
    published2002-09-17
    reporterSolar Eclipse
    sourcehttps://www.exploit-db.com/download/40347/
    titleApache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit

Nessus

  • NASL familyGain a shell remotely
    NASL idOPENSSL_OVERFLOW_GENERIC_TEST.NASL
    descriptionThe remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself.
    last seen2020-03-18
    modified2002-08-05
    plugin id11060
    published2002-08-05
    reporterThis script is Copyright (C) 2002-2018 Solar Eclipse / Renaud Deraison
    sourcehttps://www.tenable.com/plugins/nessus/11060
    titleOpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities
    code
    #TRUSTED 0c735fb6d18b92e7dc463c39c93d50b398065651cd7c0ed318a5d1d34834031824c3a22050ca6e31fbcc01030a07f38ce398a73c4434f40cb325e945345c784571586ec7573bbad8187a83596ed8318eaf6fbe29658c28bbe29b37b708585e162f200a9dc8e3bb88b92c4ed92cc2ba1f3a809c28160e7ce5f02d05b54fe911864cb36397a0a6c7db4ce53e6c12d096326a0b0727e3f007c5b916a75245b03a0c89887f2a18c581d7a4c49d88672878280dc6da584f38fcfb32d39750cece204f7a4cdd4d8e5a18bc563660825d4db1ee613352088fdc75b46c9dade84128772db6b409a5b09ed95b3156e4175c6d66dea8e2f1aa3db4e4c723621cec8449ba4b4869188c9e4687fd548a2c19c20bfc66382490a21d71e882380baf0c6c9b33b4382c5ce2683444bf2988676a4abe4e2865c6782ef082ebcf0ad497a1cc0c9cb35128ba8c71af2eb86b143e720d1e461e6556cd4385e503f30cea015f9d8bbaf86087917e85775f1a89b32e0323aab41988798789ba048a32d1fda6103fee96f4c882cd51ed5020991e252eee40c145fcce7c754df18a8cac345a4b4d20a503ac645e70005c5f48de74f07b68ac07b51bb6d8c05de995db8b389dce0ca9e57291b3e43a0218c94628387c12c67ba32cf4beff50a54372c43eab3040569ff783cba5fbb9ed40b3996e373be2aeec209568a4832fd3fe0d490a0857f942f69a71b9
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Thanks to Solar Eclipse <[email protected]>, who did most
    # of the work.
    #
    # Will incidentally cover CVE-2001-1141 and CVE-2000-0535
    #
    
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11060);
     script_version("1.61");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
     script_cve_id(
      "CVE-2000-0535",
      "CVE-2001-1141",
      "CVE-2002-0655",
      "CVE-2002-0656",
      "CVE-2002-0657",
      "CVE-2002-0659"
     );
     script_bugtraq_id(1340, 3004, 5361, 5362, 5363, 5364, 5366);
     script_xref(name:"SuSE", value:"SUSE-SA:2002:033");
    
     script_name(english:"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities");
     script_summary(english:"Checks for the behavior of OpenSSL");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote service uses a library that is affected by a buffer
    overflow vulnerability.");
     script_set_attribute(attribute:"description", value:
    "The remote service seems to be using a version of OpenSSL that is
    older than 0.9.6e or 0.9.7-beta3.
    
    Such versions are affected by a buffer overflow that may allow an
    attacker to execute arbitrary commands on the remote host with the
    privileges of the application itself.");
     script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL version 0.9.6e / 0.9.7beta3 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/05");
     script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
     script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
     script_end_attributes();
    
     script_category(ACT_MIXED_ATTACK);
     script_copyright(english:"This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison");
     script_family(english:"Gain a shell remotely");
     script_dependencies("ssl_supported_versions.nasl");
     script_require_keys("SSL/Supported");
    
     exit(0);
    }
    
    include("byte_func.inc");
    include("ftp_func.inc");
    include("global_settings.inc");
    include("kerberos_func.inc");
    include("ldap_func.inc");
    include("misc_func.inc");
    include("nntp_func.inc");
    include("smtp_func.inc");
    include("ssl_funcs.inc");
    include("telnet2_func.inc");
    
    if ( safe_checks() && report_paranoia < 2 ) exit(0);
    
    #------------------------------ Consts ----------------------#
    client_hello = raw_string(
    0x80, 0x31, 0x01, 0x00,
    0x02,  0x00, 0x18,0x00,
    0x00,  0x00, 0x10,0x07,
    0x00, 0xC0, 0x05, 0x00,
    0x80, 0x03, 0x00, 0x80,
    0x01, 0x00, 0x80, 0x08,
    0x00, 0x80, 0x06, 0x00,
    0x40, 0x04, 0x00, 0x80,
    0x02, 0x00, 0x80, 0xE4,
    0xBD, 0x00, 0x00, 0xA4,
    0x41, 0xB6, 0x74, 0x71,
    0x2B, 0x27, 0x95, 0x44,
    0xC0, 0x3D, 0xC0);
    
    
    poison = raw_string(
    0x80,0x5a,0x2,0x7,
    0x0,0xc0,0x0,0x0,
    0x0,0x40,0x0,0x10,
    0x19,0x53,0xf,0x55,
    0x5e,0xaa,0x68,0x71,
    0x3,0x27,0x4,0x5a,
    0x1f,0x5,0xea,0x33,
    0x29,0x5b,0xb9,0x3f,
    0x7d,0x28,0xe6,0x4c,
    0xd4,0xb3,0x8e,0x36,
    0x44,0xb5,0x86,0x6c,
    0x6c,0x6,0xc1,0x5c,
    0x45,0x73,0xb8,0x11,
    0x55,0x23,0x3e,0x2a,
    0x52,0xe0,0x52,0x30,
    0xda,0xf8,0xee,0x15,
    0x79,0xe1,0x3c,0x68,
    0x36,0xd1,0x14,0x26,
    0xae,0xd4,0x30,0x2,
    0x0,0x0,0x0,0x0,
    0x4,0x0,0x0,0x0,
    0x41,0x41,0x41,0x41,
    0x41,0x41,0x41,0x41);
    
    
    big_poison = raw_string(
    0x81, 0xca, 0x2, 0x7,
    0x0, 0xc0, 0x0, 0x0,
    0x0, 0x40, 0x1, 0x80,
    0xa4, 0x20, 0xb4, 0x44,
    0xd, 0xe, 0x7c, 0x5,
    0xc2, 0x21, 0x28, 0x4d,
    0xd3, 0xab, 0x6b, 0x72,
    0x10, 0xa3, 0x64, 0x7e,
    0x9, 0x7e, 0xe8, 0x28,
    0xe, 0x98, 0x5a, 0x5,
    0x2f, 0x32, 0xbb, 0xa,
    0x3c, 0xe0, 0x58, 0x5a,
    0xc5, 0xf1, 0x91, 0x36,
    0x1a, 0x27, 0x2c, 0x37,
    0x4b, 0xc2, 0xd2, 0x49,
    0x28, 0xc4, 0xf1, 0x76,
    0x41, 0xe5, 0xa4, 0x2d,
    0xe6, 0x9a, 0x55, 0x7e,
    0x27, 0x38, 0x89, 0x13,
    0x0, 0x0, 0x0, 0x0,
    0x4, 0x0, 0x0, 0x0,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41);
    
    
    
    #-------- The code. We need the check what happens on each port ------------#
    
    moderate_report =
    "Note that since safe checks are enabled, this check might be fooled by
    non-openssl implementations and produce a false positive.
    In doubt, re-execute the scan without the safe checks";
    
    get_kb_item_or_exit("SSL/Supported");
    
    port = get_ssl_ports(fork:TRUE);
    if (isnull(port))
      exit(1, "The host does not appear to have any SSL-based services.");
    
    # Find out if the port is open.
    if (!get_port_state(port))
      exit(0, "Port " + port + " is not open.");
    
    # Connect to the port, issuing the StartTLS command if necessary.
    soc = open_sock_ssl(port);
    if (!soc)
      exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
    
    send(socket:soc, data:client_hello);
    buf = recv(socket:soc, length:8192);
    if(!strlen(buf))exit(0);
    send(socket:soc, data:poison);
    buf = recv(socket:soc, length:10);
    close(soc);
    if(safe_checks())
    {
    if(strlen(buf) > 5)security_hole(port:port, extra: moderate_report);
    }
    else
    {
     if(strlen(buf) > 5)
     {
      # Connect to the port, issuing the StartTLS command if necessary.
      soc = open_sock_ssl(port);
      if (!soc)
        exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
    
      send(socket:soc, data:client_hello);
      buf = recv(socket:soc, length:8192);
      if(!strlen(buf))exit(0);
      n = send(socket:soc, data:big_poison);
      if ( n != strlen(big_poison) ) exit(0);
    
      buf = recv(socket:soc, length:4096);
      close(soc);
      if(strlen(buf) == 0)security_hole(port);
     }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-136.NASL
    descriptionThe OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionally, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. CAN-2002-0655 references overflows in buffers used to hold ASCII representations of integers on 64 bit platforms. CAN-2002-0656 references buffer overflows in the SSL2 server implementation (by sending an invalid key to the server) and the SSL3 client implementation (by sending a large session id to the client). The SSL2 issue was also noticed by Neohapsis, who have privately demonstrated exploit code for this issue. CAN-2002-0659 references the ASN1 parser DoS issue. These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and openssl_0.9.6c-2.woody.1. These vulnerabilities are also present in Debian 2.2 (potato). Fixed packages are available in openssl094_0.9.4-6.potato.2 and openssl_0.9.6c-0.potato.4. A worm is actively exploiting this issue on internet-attached hosts; we recommend you upgrade your OpenSSL as soon as possible. Note that you must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.) If you are uncertain which programs are using SSL you may choose to reboot to ensure that all running daemons are using the new libraries.
    last seen2020-06-01
    modified2020-06-02
    plugin id14973
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14973
    titleDebian DSA-136-1 : openssl - multiple remote exploits
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-136. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14973);
      script_version("1.28");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2002-0655", "CVE-2002-0656", "CVE-2002-0657", "CVE-2002-0659", "CVE-2005-1730");
      script_bugtraq_id(5353, 5361, 5362, 5363, 5364, 5366);
      script_xref(name:"DSA", value:"136");
    
      script_name(english:"Debian DSA-136-1 : openssl - multiple remote exploits");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The OpenSSL development team has announced that a security audit by
    A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has
    revealed remotely exploitable buffer overflow conditions in the
    OpenSSL code. Additionally, the ASN1 parser in OpenSSL has a potential
    DoS attack independently discovered by Adi Stav and James Yonan.
    
    CAN-2002-0655 references overflows in buffers used to hold ASCII
    representations of integers on 64 bit platforms. CAN-2002-0656
    references buffer overflows in the SSL2 server implementation (by
    sending an invalid key to the server) and the SSL3 client
    implementation (by sending a large session id to the client). The SSL2
    issue was also noticed by Neohapsis, who have privately demonstrated
    exploit code for this issue. CAN-2002-0659 references the ASN1 parser
    DoS issue.
    
    These vulnerabilities have been addressed for Debian 3.0 (woody) in
    openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and
    openssl_0.9.6c-2.woody.1.
    
    These vulnerabilities are also present in Debian 2.2 (potato). Fixed
    packages are available in openssl094_0.9.4-6.potato.2 and
    openssl_0.9.6c-0.potato.4.
    
    A worm is actively exploiting this issue on internet-attached hosts;
    we recommend you upgrade your OpenSSL as soon as possible. Note that
    you must restart any daemons using SSL. (E.g., ssh or ssl-enabled
    apache.) If you are uncertain which programs are using SSL you may
    choose to reboot to ensure that all running daemons are using the new
    libraries."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-136"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected openssl package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"libssl-dev", reference:"0.9.6c-0.potato.4")) flag++;
    if (deb_check(release:"2.2", prefix:"libssl0.9.6", reference:"0.9.6c-0.potato.4")) flag++;
    if (deb_check(release:"2.2", prefix:"libssl09", reference:"0.9.4-6.potato.2")) flag++;
    if (deb_check(release:"2.2", prefix:"openssl", reference:"0.9.6c-0.potato.4")) flag++;
    if (deb_check(release:"2.2", prefix:"ssleay", reference:"0.9.6c-0.potato.3")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl-dev", reference:"0.9.6c-2.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl0.9.6", reference:"0.9.6c-2.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl09", reference:"0.9.4-6.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl095a", reference:"0.9.5a-6.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"openssl", reference:"0.9.6c-2.woody.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-157.NASL
    descriptionUpdated OpenSSL packages are available which fix several serious buffer overflow vulnerabilities. OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. A security audit of the OpenSSL code sponsored by DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7 and 0.9.6d and earlier : 1. The master key supplied by a client to an SSL version 2 server could be oversized, causing a stack-based buffer overflow. This issue is remotely exploitable. Services that have SSLv2 disabled would not be vulnerable to this issue. (CVE-2002-0656) 2. The SSLv3 session ID supplied to a client from a malicious server could be oversized and overrun a buffer. This issue looks to be remotely exploitable. (CVE-2002-0656) 3. Various buffers used for storing ASCII representations of integers were too small on 64 bit platforms. This issue may be exploitable. (CVE-2002-0655) A further issue was found in OpenSSL 0.9.7 that does not affect versions of OpenSSL shipped with Red Hat Linux (CVE-2002-0657). A large number of applications within Red Hat Linux make use the OpenSSL library to provide SSL support. All users are therefore advised to upgrade to the errata OpenSSL packages, which contain patches to correct these vulnerabilities. NOTE : Please read the Solution section below as it contains instructions for making sure that all SSL-enabled processes are restarted after the update is applied. Thanks go to the OpenSSL team and Ben Laurie for providing patches for these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id12315
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12315
    titleRHEL 2.1 : openssl (RHSA-2002:157)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-046.NASL
    descriptionAn audit of the OpenSSL code by A.L. Digital Ltd and The Bunker, under the DARPA program CHATS, discovered a number of vulnerabilities in the OpenSSL code that are all potentially remotely exploitable. From the OpenSSL advisory : 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. At the same time, various potential buffer overflows have had assertions added; these are not known to be exploitable. Finally, a vulnerability was found by Adi Stav and James Yonan independently in the ASN1 parser which can be confused by supplying it with certain invalid encodings. There are no known exploits for this vulnerability. All of these vulnerabilities are fixed in OpenSSL 0.9.6f. Patches have been applied to the versions of OpenSSL provided in this update to fix all of these problems, except for the ASN1 vulnerability, which a fix will be provided for once MandrakeSoft has had a chance to QA the new packages. In the meantime, it is is strongly encouraged that all users upgrade to these OpenSSL packages. Update : These new OpenSSL packages are available to additionally fix the ASN1 vulnerability described above. All Mandrake Linux users are encouraged to upgrade to these new packages.
    last seen2020-06-01
    modified2020-06-02
    plugin id13949
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13949
    titleMandrake Linux Security Advisory : openssl (MDKSA-2002:046-1)
  • NASL familyWeb Servers
    NASL idORACLE_APPLICATION_SERVER_PCI.NASL
    descriptionThe remote host is running Oracle Application Server. It was not possible to determine its version, so the version of Oracle Application Server installed on the remote host could potentially be affected by multiple vulnerabilities : - CVE-2000-0169: Remote command execution in the web listener component. - CVE-2000-1235: Information disclosure in the port listener component and modplsql. - CVE-2000-1236: SQL injection in mod_sql. - CVE-2001-0326: Information disclosure in the Java Virtual Machine. - CVE-2001-0419: Buffer overflow in ndwfn4.so. - CVE-2001-0591: Directory traversal. - CVE-2001-1216: Buffer overflow in the PL/SQL Apache module. - CVE-2001-1217: Directory traversal vulnerability in the PL/SQL Apache module. - CVE-2001-1371: Improper access control in the SOAP service. - CVE-2001-1372: Information disclosure. - CVE-2002-0386: Denial of service through the administration module for Oracle Web Cache. - CVE-2002-0559: Buffer overflows in the PL/SQL module. - CVE-2002-0560: Information disclosure in the PL/SQL module. - CVE-2002-0561: Authentication bypass in the PL/SQL Gateway web administration interface. - CVE-2002-0562: Information disclosure through globals.jsa. - CVE-2002-0563: Improper access control on several services. - CVE-2002-0564: Authentication bypass in the PL/SQL module. - CVE-2002-0565: Information disclosure through JSP files in the _pages directory. - CVE-2002-0566: Denial of service in the PL/SQL module. - CVE-2002-0568: Improper access control on XSQLConfig.xml and soapConfig.xml. - CVE-2002-0569: Authentication bypass through XSQLServlet. - CVE-2002-0655: Denial of service in OpenSSL. - CVE-2002-0656: Buffer overflows in OpenSSL. - CVE-2002-0659: Denial of service in OpenSSL. - CVE-2002-0840: Cross-site scripting in the default error page of Apache. - CVE-2002-0842: Format string vulnerability in mod_dav. - CVE-2002-0843: Buffer overflows in ApacheBench. - CVE-2002-0947: Buffer overflow in rwcgi60. - CVE-2002-1089: Information disclosure in rwcgi60. - CVE-2002-1630: Improper access control on sendmail.jsp. - CVE-2002-1631: SQL injection in query.xsql. - CVE-2002-1632: Information disclosure through several JSP pages. - CVE-2002-1635: Information disclosure in Apache. - CVE-2002-1636: Cross-site scripting in the htp PL/SQL package. - CVE-2002-1637: Default credentials in multiple components. - CVE-2002-1858: Information disclosure through the WEB-INF directory. - CVE-2002-2153: Format string vulnerability in the administrative pages of the PL/SQL module. - CVE-2002-2345: Credential leakage in the web cache administrator interface. - CVE-2002-2347: Cross-site scripting in several JSP pages. - CVE-2004-1362: Authentication bypass in the PL/SQL module. - CVE-2004-1363: Buffer overflow in extproc. - CVE-2004-1364: Directory traversal in extproc. - CVE-2004-1365: Command execution in extproc. - CVE-2004-1366: Improper access control on emoms.properties. - CVE-2004-1367: Credential leakage in Database Server. - CVE-2004-1368: Arbitrary file execution in ISQL*Plus. - CVE-2004-1369: Denial of service in TNS Listener. - CVE-2004-1370: Multiple SQL injection vulnerabilities in PL/SQL. - CVE-2004-1371: Stack-based buffer overflow. - CVE-2004-1707: Privilege escalation in dbsnmp and nmo. - CVE-2004-1774: Buffer overflow in the MD2 package. - CVE-2004-1877: Phishing vulnerability in Single Sign-On component. - CVE-2004-2134: Weak cryptography for passwords in the toplink mapping workBench. - CVE-2004-2244: Denial of service in the XML parser. - CVE-2005-1383: Authentication bypass in HTTP Server. - CVE-2005-1495: Detection bypass. - CVE-2005-1496: Privilege escalation in the DBMS_Scheduler. - CVE-2005-2093: Web cache poisoning. - CVE-2005-3204: Cross-site scripting. - CVE-2005-3445: Multiple unspecified vulnerabilities in HTTP Server. - CVE-2005-3446: Unspecified vulnerability in Internet Directory. - CVE-2005-3447: Unspecified vulnerability in Single Sign-On. - CVE-2005-3448: Unspecified vulnerability in the OC4J module. - CVE-2005-3449: Multiple unspecified vulnerabilities in multiple components. - CVE-2005-3450: Unspecified vulnerability in HTTP Server. - CVE-2005-3451: Unspecified vulnerability in SQL*ReportWriter. - CVE-2005-3452: Unspecified vulnerability in Web Cache. - CVE-2005-3453: Multiple unspecified vulnerabilities in Web Cache. - CVE-2006-0273: Unspecified vulnerability in the Portal component. - CVE-2006-0274: Unspecified vulnerability in the Oracle Reports Developer component. - CVE-2006-0275: Unspecified vulnerability in the Oracle Reports Developer component. - CVE-2006-0282: Unspecified vulnerability. - CVE-2006-0283: Unspecified vulnerability. - CVE-2006-0284: Multiple unspecified vulnerabilities. - CVE-2006-0285: Unspecified vulnerability in the Java Net component. - CVE-2006-0286: Unspecified vulnerability in HTTP Server. - CVE-2006-0287: Unspecified vulnerability in HTTP Server. - CVE-2006-0288: Multiple unspecified vulnerabilities in the Oracle Reports Developer component. - CVE-2006-0289: Multiple unspecified vulnerabilities. - CVE-2006-0290: Unspecified vulnerability in the Oracle Workflow Cartridge component. - CVE-2006-0291: Multiple unspecified vulnerabilities in the Oracle Workflow Cartridge component. - CVE-2006-0435: Unspecified vulnerability in Oracle PL/SQL. - CVE-2006-0552: Unspecified vulnerability in the Net Listener component. - CVE-2006-0586: Multiple SQL injection vulnerabilities. - CVE-2006-1884: Unspecified vulnerability in the Oracle Thesaurus Management System component. - CVE-2006-3706: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3707: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3708: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3709: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3710: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3711: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3712: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3713: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-3714: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-5353: Unspecified vulnerability in HTTP Server. - CVE-2006-5354: Unspecified vulnerability in HTTP Server. - CVE-2006-5355: Unspecified vulnerability in Single Sign-On. - CVE-2006-5356: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-5357: Unspecified vulnerability in HTTP Server. - CVE-2006-5358: Unspecified vulnerability in the Oracle Forms component. - CVE-2006-5359: Multiple unspecified vulnerabilities in Oracle Reports Developer component. - CVE-2006-5360: Unspecified vulnerability in Oracle Forms component. - CVE-2006-5361: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-5362: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-5363: Unspecified vulnerability in Single Sign-On. - CVE-2006-5364: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2006-5365: Unspecified vulnerability in Oracle Forms. - CVE-2006-5366: Multiple unspecified vulnerabilities. - CVE-2007-0222: Directory traversal vulnerability in EmChartBean. - CVE-2007-0275: Cross-site scripting vulnerability in Oracle Reports Web Cartridge (RWCGI60). - CVE-2007-0280: Buffer overflow in Oracle Notification Service. - CVE-2007-0281: Multiple unspecified vulnerabilities in HTTP Server. - CVE-2007-0282: Unspecified vulnerability in OPMN02. - CVE-2007-0283: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2007-0284: Multiple unspecified vulnerabilities in Oracle Containers for J2EE. - CVE-2007-0285: Unspecified vulnerability in Oracle Reports Developer. - CVE-2007-0286: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2007-0287: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2007-0288: Unspecified vulnerability in Oracle Internet Directory. - CVE-2007-0289: Multiple unspecified vulnerabilities in Oracle Containers for J2EE. - CVE-2007-1359: Improper access control in mod_security. - CVE-2007-1609: Cross-site scripting vulnerability in servlet/Spy in Dynamic Monitoring Services (DMS). - CVE-2007-2119: Cross-site scripting vulnerability in the Administration Front End for Oracle Enterprise (Ultra) Search. - CVE-2007-2120: Denial of service in the Oracle Discoverer servlet. - CVE-2007-2121: Unspecified vulnerability in the COREid Access component. - CVE-2007-2122: Unspecified vulnerability in the Wireless component. - CVE-2007-2123: Unspecified vulnerability in the Portal component. - CVE-2007-2124: Unspecified vulnerability in the Portal component. - CVE-2007-2130: Unspecified vulnerability in Workflow Cartridge. - CVE-2007-3553: Cross-site scripting vulnerability in Rapid Install Web Server. - CVE-2007-3854: Multiple unspecified vulnerabilities in the Advanced Queuing component and the Spatial component. - CVE-2007-3859: Unspecified vulnerability in the Oracle Internet Directory component. - CVE-2007-3861: Unspecified vulnerability in Oracle Jdeveloper. - CVE-2007-3862: Unspecified vulnerability in Single Sign-On. - CVE-2007-3863: Unspecified vulnerability in Oracle JDeveloper. - CVE-2007-5516: Unspecified vulnerability in the Oracle Process Mgmt & Notification component. - CVE-2007-5517: Unspecified vulnerability in the Oracle Portal component. - CVE-2007-5518: Unspecified vulnerability in HTTP Server. - CVE-2007-5519: Unspecified vulnerability in the Oracle Portal component. - CVE-2007-5520: Unspecified vulnerability in the Oracle Internet Directory component. - CVE-2007-5521: Unspecified vulnerability in Oracle Containers for J2EE. - CVE-2007-5522: Unspecified vulnerability in the Oracle Portal component. - CVE-2007-5523: Unspecified vulnerability in the Oracle Internet Directory component. - CVE-2007-5524: Unspecified vulnerability in Single Sign-On. - CVE-2007-5525: Unspecified vulnerability in Single Sign-On. - CVE-2007-5526: Unspecified vulnerability in the Oracle Portal component. - CVE-2007-5531: Unspecified vulnerability in Oracle Help for Web. - CVE-2008-0340: Multiple unspecified vulnerabilities in the Advanced Queuing component and Spatial component. - CVE-2008-0343: Unspecified vulnerability in the Oracle Spatial component. - CVE-2008-0344: Unspecified vulnerability in the Oracle Spatial component. - CVE-2008-0345: Unspecified vulnerability in the Core RDBMS component. - CVE-2008-0346: Unspecified vulnerability in the Oracle Jinitiator component. - CVE-2008-0347: Unspecified vulnerability in the Oracle Ultra Search component. - CVE-2008-0348: Multiple unspecified vulnerabilities in the PeopleTools component. - CVE-2008-0349: Unspecified vulnerability in the PeopleTools component. - CVE-2008-1812: Unspecified vulnerability in the Oracle Enterprise Manager component. - CVE-2008-1814: Unspecified vulnerability in the Oracle Secure Enterprise Search or Ultrasearch component. - CVE-2008-1823: Unspecified vulnerability in the Oracle Jinitiator component. - CVE-2008-1824: Unspecified vulnerability in the Oracle Dynamic Monitoring Service component. - CVE-2008-1825: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-2583: Unspecified vulnerability in the sample Discussion Forum Portlet for the Oracle Portal component. - CVE-2008-2588: Unspecified vulnerability in the Oracle JDeveloper component. - CVE-2008-2589: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-2593: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-2594: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-2595: Unspecified vulnerability in the Oracle Internet Directory component. - CVE-2008-2609: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-2612: Unspecified vulnerability in the Hyperion BI Plus component. - CVE-2008-2614: Unspecified vulnerability in HTTP Server. - CVE-2008-2619: Unspecified vulnerability in the Oracle Reports Developer component. - CVE-2008-2623: Unspecified vulnerability in the Oracle JDeveloper component. - CVE-2008-3975: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-3977: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-3986: Unspecified vulnerability in the Oracle Discoverer Administrator component. - CVE-2008-3987: Unspecified vulnerability in the Oracle Discoverer Desktop component. - CVE-2008-4014: Unspecified vulnerability in the Oracle BPEL Process Manager component. - CVE-2008-4017: Unspecified vulnerability in the OC4J component. - CVE-2008-5438: Unspecified vulnerability in the Oracle Portal component. - CVE-2008-7233: Unspecified vulnerability in the Oracle Jinitiator component. - CVE-2009-0217: Signature spoofing vulnerability in multiple components. - CVE-2009-0989: Unspecified vulnerability in the BI Publisher component. - CVE-2009-0990: Unspecified vulnerability in the BI Publisher component. - CVE-2009-0994: Unspecified vulnerability in the BI Publisher component. - CVE-2009-1008: Unspecified vulnerability in the Outside In Technology component. - CVE-2009-1009: Unspecified vulnerability in the Outside In Technology component. - CVE-2009-1010: Unspecified vulnerability in the Outside In Technology component. - CVE-2009-1011: Unspecified vulnerability in the Outside In Technology component. - CVE-2009-1017: Unspecified vulnerability in the BI Publisher component. - CVE-2009-1976: Unspecified vulnerability in HTTP Server. - CVE-2009-1990: Unspecified vulnerability in the Business Intelligence Enterprise Edition component. - CVE-2009-1999: Unspecified vulnerability in the Business Intelligence Enterprise Edition component. - CVE-2009-3407: Unspecified vulnerability in the Portal component. - CVE-2009-3412: Unspecified vulnerability in the Unzip component. - CVE-2010-0066: Unspecified vulnerability in the Access Manager Identity Server component. - CVE-2010-0067: Unspecified vulnerability in the Oracle Containers for J2EE component. - CVE-2010-0070: Unspecified vulnerability in the Oracle Containers for J2EE component. - CVE-2011-0789: Unspecified vulnerability in HTTP Server. - CVE-2011-0795: Unspecified vulnerability in Single Sign-On. - CVE-2011-0884: Unspecified vulnerability in the Oracle BPEL Process Manager component. - CVE-2011-2237: Unspecified vulnerability in the Oracle Web Services Manager component. - CVE-2011-2314: Unspecified vulnerability in the Oracle Containers for J2EE component. - CVE-2011-3523: Unspecified vulnerability in the Oracle Web Services Manager component.
    last seen2020-06-01
    modified2020-06-02
    plugin id57619
    published2012-01-24
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57619
    titleOracle Application Server Multiple Vulnerabilities
  • NASL familyWeb Servers
    NASL idOPENSSL_0_9_6E.NASL
    descriptionAccording to its banner, the remote server is running a version of OpenSSL that is earlier than 0.9.6e. Such versions have the following vulnerabilities : - On 64 bit architectures, these versions are vulnerable to a buffer overflow that leads to a denial of service. (CVE-2002-0655) - Buffer overflows allow a remote attacker to execute arbitrary code. (CVE-2002-0656) - A remote attacker can trigger a denial of service by sending invalid ASN.1 data. (CVE-2002-0659)
    last seen2020-06-01
    modified2020-06-02
    plugin id17746
    published2012-01-04
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17746
    titleOpenSSL < 0.9.6e Multiple Vulnerabilities

Redhat

advisories
rhsa
idRHSA-2002:155