Vulnerabilities > CVE-2006-0225 - Unspecified vulnerability in Openbsd Openssh
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Vulnerable Configurations
Nessus
NASL family Solaris Local Security Checks NASL id SOLARIS10_123324-03.NASL description SunOS 5.10: sshd patch. Date this patch was last updated by Sun : Jun/20/07 last seen 2020-06-01 modified 2020-06-02 plugin id 107389 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107389 title Solaris 10 (sparc) : 123324-03 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(107389); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:23"); script_cve_id("CVE-2006-0225", "CVE-2006-4924"); script_name(english:"Solaris 10 (sparc) : 123324-03"); script_summary(english:"Check for patch 123324-03"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 123324-03" ); script_set_attribute( attribute:"description", value: "SunOS 5.10: sshd patch. Date this patch was last updated by Sun : Jun/20/07" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1000947.1.html" ); script_set_attribute(attribute:"solution", value:"Install patch 123324-03"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:123324"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:124442"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:125430"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:10"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("solaris.inc"); showrev = get_kb_item("Host/Solaris/showrev"); if (empty_or_null(showrev)) audit(AUDIT_OS_NOT, "Solaris"); os_ver = pregmatch(pattern:"Release: (\d+.(\d+))", string:showrev); if (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Solaris"); full_ver = os_ver[1]; os_level = os_ver[2]; if (full_ver != "5.10") audit(AUDIT_OS_NOT, "Solaris 10", "Solaris " + os_level); package_arch = pregmatch(pattern:"Application architecture: (\w+)", string:showrev); if (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH); package_arch = package_arch[1]; if (package_arch != "sparc") audit(AUDIT_ARCH_NOT, "sparc", package_arch); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWcslr", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWhea", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWsshcu", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWsshdu", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWsshu", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : solaris_get_report() ); } else { patch_fix = solaris_patch_fix_get(); if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, "Solaris 10"); tested = solaris_pkg_tests_get(); if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); audit(AUDIT_PACKAGE_NOT_INSTALLED, "SUNWcslr / SUNWhea / SUNWsshcu / SUNWsshdu / SUNWsshu"); }
NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_114357.NASL description SunOS 5.9_x86: /usr/bin/ssh patch. Date this patch was last updated by Sun : Sep/16/09 last seen 2016-09-26 modified 2011-09-18 plugin id 25654 published 2007-07-02 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25654 title Solaris 9 (x86) : 114357-18 code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated as the associated patch is not # currently a recommended security fix. # # Disabled on 2011/09/17. # # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(25654); script_version("1.23"); script_name(english: "Solaris 9 (x86) : 114357-18"); script_cve_id("CVE-2006-0225"); script_set_attribute(attribute: "synopsis", value: "The remote host is missing Sun Security Patch number 114357-18"); script_set_attribute(attribute: "description", value: 'SunOS 5.9_x86: /usr/bin/ssh patch. Date this patch was last updated by Sun : Sep/16/09'); script_set_attribute(attribute: "solution", value: "You should install this patch for your system to be up-to-date."); script_set_attribute(attribute: "see_also", value: "https://getupdates.oracle.com/readme/114357-18"); script_set_attribute(attribute: "cvss_vector", value: "CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/02"); script_cvs_date("Date: 2018/08/13 14:32:38"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/28"); script_end_attributes(); script_summary(english: "Check for patch 114357-18"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); family["english"] = "Solaris Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Solaris/showrev"); exit(0); } # Deprecated. exit(0, "The associated patch is not currently a recommended security fix."); include("solaris.inc"); e += solaris_check_patch(release:"5.9_x86", arch:"i386", patch:"114357-18", obsoleted_by:"122301-47 ", package:"SUNWsshcu", version:"11.9.0,REV=2002.11.04.02.51"); e += solaris_check_patch(release:"5.9_x86", arch:"i386", patch:"114357-18", obsoleted_by:"122301-47 ", package:"SUNWsshu", version:"11.9.0,REV=2002.11.04.02.51"); if ( e < 0 ) { if ( NASL_LEVEL < 3000 ) security_warning(0); else security_warning(port:0, extra:solaris_get_report()); exit(0); } exit(0, "Host is not affected");
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-045-06.NASL description New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 20917 published 2006-02-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20917 title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-045-06. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(20917); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-0225"); script_xref(name:"SSA", value:"2006-045-06"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?61b1c8fc" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.1", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.2", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Misc. NASL id OPENSSH_43.NASL description According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp. last seen 2020-06-01 modified 2020-06-02 plugin id 44076 published 2011-10-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44076 title OpenSSH < 4.3 scp Command Line Filename Processing Command Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44076); script_version("1.6"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2006-0225"); script_bugtraq_id(16369); script_name(english:"OpenSSH < 4.3 scp Command Line Filename Processing Command Injection"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The version of SSH running on the remote host has a command injection vulnerability." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp." ); script_set_attribute(attribute:"see_also",value:"https://bugzilla.mindrot.org/show_bug.cgi?id=1094"); script_set_attribute(attribute:"see_also",value:"http://www.openssh.com/txt/release-4.3"); script_set_attribute( attribute:"solution", value:"Upgrade to OpenSSH 4.3 or later." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/28"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+"."); version = match[1]; match = eregmatch(string:version, pattern:'^([0-9.]+)'); if (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.'); ver = match[1]; fix = '4.3'; if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+".");
NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123325.NASL description SunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Jun/21/07 last seen 2018-09-01 modified 2018-08-13 plugin id 25645 published 2007-07-02 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25645 title Solaris 10 (x86) : 123325-03 code #%NASL_MIN_LEVEL 80502 # @DEPRECATED@ # # This script has been deprecated as the associated patch is not # currently a recommended security fix. # # Disabled on 2011/10/24. # # # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(25645); script_version("1.22"); script_name(english: "Solaris 10 (x86) : 123325-03"); script_cve_id("CVE-2006-0225", "CVE-2006-4924"); script_set_attribute(attribute: "synopsis", value: "The remote host is missing Sun Security Patch number 123325-03"); script_set_attribute(attribute: "description", value: 'SunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Jun/21/07'); script_set_attribute(attribute: "solution", value: "You should install this patch for your system to be up-to-date."); script_set_attribute(attribute: "see_also", value: "http://download.oracle.com/sunalerts/1000947.1.html"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(399); script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/02"); script_cvs_date("Date: 2019/10/25 13:36:24"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/28"); script_end_attributes(); script_summary(english: "Check for patch 123325-03"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "Solaris Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Solaris/showrev"); exit(0); } # Deprecated. exit(0, "The associated patch is not currently a recommended security fix.");
NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_123325-03.NASL description SunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Jun/21/07 last seen 2020-06-01 modified 2020-06-02 plugin id 107891 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107891 title Solaris 10 (x86) : 123325-03 NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127415 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127415 title NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146) NASL family Fedora Local Security Checks NASL id FEDORA_2006-056.NASL description This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20802 published 2006-01-24 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20802 title Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0044.NASL description Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 21030 published 2006-03-08 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21030 title RHEL 4 : openssh (RHSA-2006:0044) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0298.NASL description Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 22134 published 2006-08-04 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22134 title CentOS 3 : openssh (CESA-2006:0298) NASL family Solaris Local Security Checks NASL id SOLARIS10_123324.NASL description SunOS 5.10: sshd patch. Date this patch was last updated by Sun : Jun/20/07 last seen 2018-09-01 modified 2018-08-13 plugin id 25642 published 2007-07-02 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25642 title Solaris 10 (sparc) : 123324-03 NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_008.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:008 (openssh). A problem in the handling of scp in openssh could be used to execute commands on remote hosts even using a scp-only configuration. This requires doing a remote-remote scp and a hostile server. (CVE-2006-0225) On SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too. The security fix changes the handling of quoting filenames which might break automated scripts using this functionality. Please check that your automated scp scripts still work after the update. last seen 2019-10-28 modified 2006-02-15 plugin id 20923 published 2006-02-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20923 title SUSE-SA:2006:008: openssh NASL family Solaris Local Security Checks NASL id SOLARIS9_114356.NASL description SunOS 5.9: /usr/bin/ssh patch. Date this patch was last updated by Sun : Sep/16/09 last seen 2016-09-26 modified 2011-09-18 plugin id 25653 published 2007-07-02 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25653 title Solaris 9 (sparc) : 114356-19 NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127206 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127206 title NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036) NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0044.NASL description Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 21975 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21975 title CentOS 4 : openssh (CESA-2006:0044) NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200602-11.NASL description The remote host is affected by the vulnerability described in GLSA-200602-11 (OpenSSH, Dropbear: Insecure use of system() call) To copy from a local filesystem to another local filesystem, scp constructs a command line using last seen 2020-06-01 modified 2020-06-02 plugin id 20953 published 2006-02-21 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20953 title GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-255-1.NASL description Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like last seen 2020-06-01 modified 2020-06-02 plugin id 21063 published 2006-03-13 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21063 title Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-034.NASL description A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp last seen 2020-06-01 modified 2020-06-02 plugin id 20875 published 2006-02-10 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20875 title Mandrake Linux Security Advisory : openssh (MDKSA-2006:034) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0698.NASL description Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 22474 published 2006-09-29 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22474 title RHEL 2.1 : openssh (RHSA-2006:0698) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0298.NASL description Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 22084 published 2006-07-21 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22084 title RHEL 3 : openssh (RHSA-2006:0298) NASL family Misc. NASL id JUNIPER_NSM_2012_1.NASL description According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 69872 published 2013-09-13 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69872 title Juniper NSM Servers < 2012.1 Multiple Vulnerabilities
Oval
accepted 2014-06-09T04:00:06.911-04:00 class vulnerability contributors name Yuzheng Zhou organization Opsware, Inc. name Jerome Athias organization McAfee, Inc.
definition_extensions comment Solaris 9 (SPARC) is installed oval oval:org.mitre.oval:def:1457 comment Solaris 9 (x86) is installed oval oval:org.mitre.oval:def:1683 comment Solaris 10 (SPARC) is installed oval oval:org.mitre.oval:def:1440 comment Solaris 10 (x86) is installed oval oval:org.mitre.oval:def:1926
description scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. family unix id oval:org.mitre.oval:def:1138 status accepted submitted 2007-06-28T09:00:00.000-04:00 title Security Vulnerability Relating to scp(1) Command May Allow Attackers to Execute Arbitrary Commands version 38 accepted 2013-04-29T04:23:40.838-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990
description scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. family unix id oval:org.mitre.oval:def:9962 status accepted submitted 2010-07-09T03:56:16-04:00 title scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. version 26
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | CVE ID:CVE-2006-0225 CNCVE ID:CNCVE-20060225 Avaya Call Management System是一款Avaya的运营效率解决方案,提供集成的分析与报告。 运行在Sun Solaris上的CMS和IR应用程序处理scp命令存在输入验证问题,本地攻击者可以利用漏洞以用户特权执行任意命令。 目前没有详细漏洞细节提供。 0 Avaya Call Management System (CMS) 可参考如下安全公告获得补丁信息: <a href="http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm" target="_blank">http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm</a> |
id | SSV:1979 |
last seen | 2017-11-19 |
modified | 2007-07-10 |
published | 2007-07-10 |
reporter | Root |
title | Avaya CMS / IR Solaris scp命令行shell命令注入漏洞 |
Statements
contributor | Joshua Bressers |
lastmodified | 2009-09-09 |
organization | Red Hat |
statement | This issue was addressed in Red Hat Enterprise Linux 2.1, 3 and 4: https://rhn.redhat.com/errata/CVE-2006-0225.html https://www.redhat.com/security/data/cve/CVE-2006-0225.html Issue was fixed upstream in version 4.3. The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw. |
References
- ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patch
- ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc
- http://blogs.sun.com/security/entry/sun_alert_102961_security_vulnerability
- http://docs.info.apple.com/article.html?artnum=305214
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00815112
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://secunia.com/advisories/18579
- http://secunia.com/advisories/18595
- http://secunia.com/advisories/18650
- http://secunia.com/advisories/18736
- http://secunia.com/advisories/18798
- http://secunia.com/advisories/18850
- http://secunia.com/advisories/18910
- http://secunia.com/advisories/18964
- http://secunia.com/advisories/18969
- http://secunia.com/advisories/18970
- http://secunia.com/advisories/19159
- http://secunia.com/advisories/20723
- http://secunia.com/advisories/21129
- http://secunia.com/advisories/21262
- http://secunia.com/advisories/21492
- http://secunia.com/advisories/21724
- http://secunia.com/advisories/22196
- http://secunia.com/advisories/23241
- http://secunia.com/advisories/23340
- http://secunia.com/advisories/23680
- http://secunia.com/advisories/24479
- http://secunia.com/advisories/25607
- http://secunia.com/advisories/25936
- http://securityreason.com/securityalert/462
- http://securitytracker.com/id?1015540
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-158.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm
- http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm
- http://www.gentoo.org/security/en/glsa/glsa-200602-11.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:034
- http://www.novell.com/linux/security/advisories/2006_08_openssh.html
- http://www.openpkg.org/security/OpenPKG-SA-2006.003-openssh.html
- http://www.osvdb.org/22692
- http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00062.html
- http://www.redhat.com/support/errata/RHSA-2006-0044.html
- http://www.redhat.com/support/errata/RHSA-2006-0298.html
- http://www.redhat.com/support/errata/RHSA-2006-0698.html
- http://www.securityfocus.com/archive/1/425397/100/0/threaded
- http://www.securityfocus.com/bid/16369
- http://www.trustix.org/errata/2006/0004
- http://www.ubuntu.com/usn/usn-255-1
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
- http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
- http://www.vupen.com/english/advisories/2006/0306
- http://www.vupen.com/english/advisories/2006/2490
- http://www.vupen.com/english/advisories/2006/4869
- http://www.vupen.com/english/advisories/2007/0930
- http://www.vupen.com/english/advisories/2007/2120
- http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688
- http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24305
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1138
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9962