Vulnerabilities > CVE-2002-0765 - Authentication Implementation Error vulnerability in Openbsd and Openssh

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(44072);
  script_version("1.5");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2002-0765");
  script_bugtraq_id(4803);

  script_name(english:"OpenSSH < 3.2.3 YP Netgroups Authentication Bypass");
  script_summary(english:"Checks SSH banner");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote SSH server has an authentication bypass vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its banner, the version of OpenSSH running on the remote
host is older than 3.2.3.  It therefore may be affected by an
authentication bypass issue.  On systems using YP with netgroups, sshd
authenticates users via ACL by checking for the requested username and
password.  Under certain conditions when doing ACL checks, it may
instead use the password entry of a different user for authentication. 
This means unauthorized users could authenticate successfully, and
authorized users could be locked out."
  );
  script_set_attribute(attribute:"see_also",value:"http://monkey.org/openbsd/archive/bugs/0205/msg00141.html");
  script_set_attribute(attribute:"see_also",value:"https://www.openssh.com/txt/release-3.2.3");
  script_set_attribute(attribute:"see_also",value:"http://www.openbsd.org/errata31.html#sshbsdauth");
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to OpenSSH 3.2.3 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/05/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2002/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh");

  exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"ssh", exit_on_fail:TRUE);

banner = get_kb_item_or_exit("SSH/banner/"+port);
bp_banner = tolower(get_backport_banner(banner:banner));
if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");

# Check the version in the backported banner.
match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+".");
version = match[1];

match = eregmatch(string:version, pattern:'^([0-9.]+)');
if (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway
  exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');

ver = split(match[1], sep:'.', keep:FALSE);
fix = '3.2.3';

if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+".");

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(55992);
  script_version("1.17");
  script_cvs_date("Date: 2018/07/31 17:27:54");

  script_cve_id(
    "CVE-2000-0525",
    "CVE-2000-1169",
    "CVE-2001-0361",
    "CVE-2001-0529",
    "CVE-2001-0572",
    "CVE-2001-0816",
    "CVE-2001-0872",
    "CVE-2001-1380",
    "CVE-2001-1382",
    "CVE-2001-1459",
    "CVE-2001-1507",
    "CVE-2001-1585",
    "CVE-2002-0083",
    "CVE-2002-0575",
    "CVE-2002-0639",
    "CVE-2002-0640",
    "CVE-2002-0765",
    "CVE-2003-0190",
    "CVE-2003-0386",
    "CVE-2003-0682",
    "CVE-2003-0693",
    "CVE-2003-0695",
    "CVE-2003-0786",
    "CVE-2003-0787",
    "CVE-2003-1562",
    "CVE-2004-0175",
    "CVE-2004-1653",
    "CVE-2004-2069",
    "CVE-2004-2760",
    "CVE-2005-2666",
    "CVE-2005-2797",
    "CVE-2005-2798",
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-4925",
    "CVE-2006-5051",
    "CVE-2006-5052",
    "CVE-2006-5229",
    "CVE-2006-5794",
    "CVE-2007-2243",
    "CVE-2007-2768",
    "CVE-2007-3102",
    "CVE-2007-4752",
    "CVE-2008-1483",
    "CVE-2008-1657",
    "CVE-2008-3259",
    "CVE-2008-4109",
    "CVE-2008-5161"
  );
  script_bugtraq_id(32319);
  script_xref(name:"CERT", value:"958563");

  script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
  script_summary(english:"Checks SSH banner");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The SSH service running on the remote host has an information
disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of SunSSH running on the remote host has an information
disclosure vulnerability.  A design flaw in the SSH specification
could allow a man-in-the-middle attacker to recover up to 32 bits of
plaintext from an SSH-protected connection in the standard
configuration.  An attacker could exploit this to gain access to
sensitive information.

Note that this version of SunSSH is also prone to several additional
issues but Nessus did not test for them." );

  # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
  # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
  script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
  script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
  script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
  script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
  script_set_attribute(attribute:"plugin_type",value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

# Ensure the port is open.
port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/" + port);

# Check that we're using SunSSH.
if ('sun_ssh' >!< tolower(banner))
  exit(0, "The SSH service on port " + port + " is not SunSSH.");

# Check the version in the banner.
match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
if (isnull(match))
  exit(1, "Could not parse the version string from the banner on port " + port + ".");
else
  version = match[1];

# the Oracle (Sun) blog above explains how the versioning works. we could
# probably explicitly check for each vulnerable version if it came down to it
if (
  ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
  version == '1.2'
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 1.1.1 / 1.3\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");

#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
#      Erik Anderson <[email protected]>
#      Added BugtraqID
#
# also covers CVE-2002-0765


include("compat.inc");

if (description)
{
 script_id(11031);
 script_version ("1.33");
 script_cvs_date("Date: 2018/07/16 14:09:13");

 script_cve_id("CVE-2002-0639", "CVE-2002-0640");
 script_bugtraq_id(5093);
 
 script_name(english:"OpenSSH < 3.4 Multiple Remote Overflows");
 script_summary(english:"Checks for the remote SSH version");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected multiple
vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the remote host appears to be 
running OpenSSH version 3.4 or older. Such versions are 
reportedly affected by multiple flaws. An attacker may 
exploit these vulnerabilities to gain a shell on the remote 
system.

Note that several distributions patched this hole without 
changing the version number of OpenSSH. Since Nessus solely 
relied on the banner of the remote SSH server to perform this 
check, this might be a false positive.

If you are running a RedHat host, make sure that the command :
          rpm -q openssh-server
	  
Returns :
	openssh-server-3.1p1-6" );
 script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/preauth.adv" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH 3.4 or contact your vendor for a patch." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2002/06/25");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/06/26");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Gain a shell remotely");
 if (  ! defined_func("bn_random") )
 	script_dependencie("ssh_detect.nasl");
 else
 	script_dependencie("ssh_detect.nasl", "redhat-RHSA-2002-131.nasl");
 script_require_ports("Services/ssh", 22);
 exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

if (get_kb_item("CVE-2002-0640")) exit(0);

# Ensure the port is open.
port = get_service(svc:"ssh", exit_on_fail:TRUE);

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/"+port);

bp_banner = tolower(get_backport_banner(banner:banner));
if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");

if (ereg(pattern:"openssh[-_]((1\..*)|(2\..*)|(3\.([0-3](\.[0-9]*)*)))", string:bp_banner))
  security_hole(port);