Vulnerabilities > CVE-2006-0225 - Unspecified vulnerability in Openbsd Openssh

CVSS 4.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

low complexity

openbsd

nessus

NVD

Published: 2006-01-25

Updated: 2018-10-19

Summary

scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.

Vulnerable Configurations

Part	Description	Count
Application	Openbsd Openbsd Openssh 3.0 Openbsd Openssh 3.0.1 Openbsd Openssh 3.0.1P1 Openbsd Openssh 3.0.2 Openbsd Openssh 3.0.2P1 Openbsd Openssh 3.0P1 Openbsd Openssh 3.1 Openbsd Openssh 3.1P1 Openbsd Openssh 3.2 Openbsd Openssh 3.2.2P1 Openbsd Openssh 3.2.3P1 Openbsd Openssh 3.3 Openbsd Openssh 3.3P1 Openbsd Openssh 3.4 Openbsd Openssh 3.4P1 Openbsd Openssh 3.5 Openbsd Openssh 3.5P1 Openbsd Openssh 3.6 Openbsd Openssh 3.6.1 Openbsd Openssh 3.6.1P1 Openbsd Openssh 3.6.1P2 Openbsd Openssh 3.7 Openbsd Openssh 3.7.1 Openbsd Openssh 3.7.1P2 Openbsd Openssh 3.8 Openbsd Openssh 3.8.1 Openbsd Openssh 3.8.1P1 Openbsd Openssh 3.9 Openbsd Openssh 3.9.1 Openbsd Openssh 3.9.1P1 Openbsd Openssh 4.0P1 Openbsd Openssh 4.1P1 Openbsd Openssh 4.2P1	33

Nessus

NASL family	Solaris Local Security Checks
NASL id	SOLARIS10_123324-03.NASL
description	SunOS 5.10: sshd patch. Date this patch was last updated by Sun : Jun/20/07
last seen	2020-06-01
modified	2020-06-02
plugin id	107389
published	2018-03-12
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/107389
title	Solaris 10 (sparc) : 123324-03
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(107389); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:23"); script_cve_id("CVE-2006-0225", "CVE-2006-4924"); script_name(english:"Solaris 10 (sparc) : 123324-03"); script_summary(english:"Check for patch 123324-03"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 123324-03" ); script_set_attribute( attribute:"description", value: "SunOS 5.10: sshd patch. Date this patch was last updated by Sun : Jun/20/07" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1000947.1.html" ); script_set_attribute(attribute:"solution", value:"Install patch 123324-03"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:123324"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:124442"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:125430"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:10"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("solaris.inc"); showrev = get_kb_item("Host/Solaris/showrev"); if (empty_or_null(showrev)) audit(AUDIT_OS_NOT, "Solaris"); os_ver = pregmatch(pattern:"Release: (\d+.(\d+))", string:showrev); if (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Solaris"); full_ver = os_ver[1]; os_level = os_ver[2]; if (full_ver != "5.10") audit(AUDIT_OS_NOT, "Solaris 10", "Solaris " + os_level); package_arch = pregmatch(pattern:"Application architecture: (\w+)", string:showrev); if (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH); package_arch = package_arch[1]; if (package_arch != "sparc") audit(AUDIT_ARCH_NOT, "sparc", package_arch); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWcslr", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWhea", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWsshcu", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWsshdu", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"123324-03", obsoleted_by:"120011-14 ", package:"SUNWsshu", version:"11.10.0,REV=2005.01.21.15.53") < 0) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : solaris_get_report() ); } else { patch_fix = solaris_patch_fix_get(); if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, "Solaris 10"); tested = solaris_pkg_tests_get(); if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); audit(AUDIT_PACKAGE_NOT_INSTALLED, "SUNWcslr / SUNWhea / SUNWsshcu / SUNWsshdu / SUNWsshu"); }

NASL family	Solaris Local Security Checks
NASL id	SOLARIS9_X86_114357.NASL
description	SunOS 5.9_x86: /usr/bin/ssh patch. Date this patch was last updated by Sun : Sep/16/09
last seen	2016-09-26
modified	2011-09-18
plugin id	25654
published	2007-07-02
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=25654
title	Solaris 9 (x86) : 114357-18
code	#%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated as the associated patch is not # currently a recommended security fix. # # Disabled on 2011/09/17. # # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(25654); script_version("1.23"); script_name(english: "Solaris 9 (x86) : 114357-18"); script_cve_id("CVE-2006-0225"); script_set_attribute(attribute: "synopsis", value: "The remote host is missing Sun Security Patch number 114357-18"); script_set_attribute(attribute: "description", value: 'SunOS 5.9_x86: /usr/bin/ssh patch. Date this patch was last updated by Sun : Sep/16/09'); script_set_attribute(attribute: "solution", value: "You should install this patch for your system to be up-to-date."); script_set_attribute(attribute: "see_also", value: "https://getupdates.oracle.com/readme/114357-18"); script_set_attribute(attribute: "cvss_vector", value: "CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/02"); script_cvs_date("Date: 2018/08/13 14:32:38"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/28"); script_end_attributes(); script_summary(english: "Check for patch 114357-18"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); family["english"] = "Solaris Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Solaris/showrev"); exit(0); } # Deprecated. exit(0, "The associated patch is not currently a recommended security fix."); include("solaris.inc"); e += solaris_check_patch(release:"5.9_x86", arch:"i386", patch:"114357-18", obsoleted_by:"122301-47 ", package:"SUNWsshcu", version:"11.9.0,REV=2002.11.04.02.51"); e += solaris_check_patch(release:"5.9_x86", arch:"i386", patch:"114357-18", obsoleted_by:"122301-47 ", package:"SUNWsshu", version:"11.9.0,REV=2002.11.04.02.51"); if ( e < 0 ) { if ( NASL_LEVEL < 3000 ) security_warning(0); else security_warning(port:0, extra:solaris_get_report()); exit(0); } exit(0, "Host is not affected");

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2006-045-06.NASL
description	New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	20917
published	2006-02-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20917
title	Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-045-06. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(20917); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2006-0225"); script_xref(name:"SSA", value:"2006-045-06"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?61b1c8fc" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.1", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.2", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"openssh", pkgver:"4.3p1", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Misc.
NASL id	OPENSSH_43.NASL
description	According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp.
last seen	2020-06-01
modified	2020-06-02
plugin id	44076
published	2011-10-04
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44076
title	OpenSSH < 4.3 scp Command Line Filename Processing Command Injection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44076); script_version("1.6"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2006-0225"); script_bugtraq_id(16369); script_name(english:"OpenSSH < 4.3 scp Command Line Filename Processing Command Injection"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The version of SSH running on the remote host has a command injection vulnerability." ); script_set_attribute( attribute:"description", value: "According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp." ); script_set_attribute(attribute:"see_also",value:"https://bugzilla.mindrot.org/show_bug.cgi?id=1094"); script_set_attribute(attribute:"see_also",value:"http://www.openssh.com/txt/release-4.3"); script_set_attribute( attribute:"solution", value:"Upgrade to OpenSSH 4.3 or later." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/28"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+"."); version = match[1]; match = eregmatch(string:version, pattern:'^([0-9.]+)'); if (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.'); ver = match[1]; fix = '4.3'; if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+".");

NASL family	Solaris Local Security Checks
NASL id	SOLARIS10_X86_123325.NASL
description	SunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Jun/21/07
last seen	2018-09-01
modified	2018-08-13
plugin id	25645
published	2007-07-02
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=25645
title	Solaris 10 (x86) : 123325-03
code	#%NASL_MIN_LEVEL 80502 # @DEPRECATED@ # # This script has been deprecated as the associated patch is not # currently a recommended security fix. # # Disabled on 2011/10/24. # # # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(25645); script_version("1.22"); script_name(english: "Solaris 10 (x86) : 123325-03"); script_cve_id("CVE-2006-0225", "CVE-2006-4924"); script_set_attribute(attribute: "synopsis", value: "The remote host is missing Sun Security Patch number 123325-03"); script_set_attribute(attribute: "description", value: 'SunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Jun/21/07'); script_set_attribute(attribute: "solution", value: "You should install this patch for your system to be up-to-date."); script_set_attribute(attribute: "see_also", value: "http://download.oracle.com/sunalerts/1000947.1.html"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(399); script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/02"); script_cvs_date("Date: 2019/10/25 13:36:24"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/28"); script_end_attributes(); script_summary(english: "Check for patch 123325-03"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "Solaris Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Solaris/showrev"); exit(0); } # Deprecated. exit(0, "The associated patch is not currently a recommended security fix.");

NASL family	Solaris Local Security Checks
NASL id	SOLARIS10_X86_123325-03.NASL
description	SunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Jun/21/07
last seen	2020-06-01
modified	2020-06-02
plugin id	107891
published	2018-03-12
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/107891
title	Solaris 10 (x86) : 123325-03

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL
description	The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127415
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127415
title	NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2006-056.NASL
description	This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	20802
published	2006-01-24
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20802
title	Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0044.NASL
description	Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	21030
published	2006-03-08
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21030
title	RHEL 4 : openssh (RHSA-2006:0044)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2006-0298.NASL
description	Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	22134
published	2006-08-04
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22134
title	CentOS 3 : openssh (CESA-2006:0298)

NASL family	Solaris Local Security Checks
NASL id	SOLARIS10_123324.NASL
description	SunOS 5.10: sshd patch. Date this patch was last updated by Sun : Jun/20/07
last seen	2018-09-01
modified	2018-08-13
plugin id	25642
published	2007-07-02
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=25642
title	Solaris 10 (sparc) : 123324-03

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2006_008.NASL
description	The remote host is missing the patch for the advisory SUSE-SA:2006:008 (openssh). A problem in the handling of scp in openssh could be used to execute commands on remote hosts even using a scp-only configuration. This requires doing a remote-remote scp and a hostile server. (CVE-2006-0225) On SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too. The security fix changes the handling of quoting filenames which might break automated scripts using this functionality. Please check that your automated scp scripts still work after the update.
last seen	2019-10-28
modified	2006-02-15
plugin id	20923
published	2006-02-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20923
title	SUSE-SA:2006:008: openssh

NASL family	Solaris Local Security Checks
NASL id	SOLARIS9_114356.NASL
description	SunOS 5.9: /usr/bin/ssh patch. Date this patch was last updated by Sun : Sep/16/09
last seen	2016-09-26
modified	2011-09-18
plugin id	25653
published	2007-07-02
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=25653
title	Solaris 9 (sparc) : 114356-19

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL
description	The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127206
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127206
title	NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)

NASL family	Misc.
NASL id	SUNSSH_PLAINTEXT_RECOVERY.NASL
description	The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
last seen	2020-06-01
modified	2020-06-02
plugin id	55992
published	2011-08-29
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55992
title	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2006-0044.NASL
description	Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	21975
published	2006-07-05
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21975
title	CentOS 4 : openssh (CESA-2006:0044)

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_10_4_9.NASL
description	The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
last seen	2020-06-01
modified	2020-06-02
plugin id	24811
published	2007-03-13
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24811
title	Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200602-11.NASL
description	The remote host is affected by the vulnerability described in GLSA-200602-11 (OpenSSH, Dropbear: Insecure use of system() call) To copy from a local filesystem to another local filesystem, scp constructs a command line using
last seen	2020-06-01
modified	2020-06-02
plugin id	20953
published	2006-02-21
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20953
title	GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-255-1.NASL
description	Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like
last seen	2020-06-01
modified	2020-06-02
plugin id	21063
published	2006-03-13
reporter	Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/21063
title	Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-034.NASL
description	A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp
last seen	2020-06-01
modified	2020-06-02
plugin id	20875
published	2006-02-10
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20875
title	Mandrake Linux Security Advisory : openssh (MDKSA-2006:034)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0698.NASL
description	Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	22474
published	2006-09-29
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22474
title	RHEL 2.1 : openssh (RHSA-2006:0698)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2006-0298.NASL
description	Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	22084
published	2006-07-21
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/22084
title	RHEL 3 : openssh (RHSA-2006:0298)

NASL family	Misc.
NASL id	JUNIPER_NSM_2012_1.NASL
description	According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.
last seen	2020-06-01
modified	2020-06-02
plugin id	69872
published	2013-09-13
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/69872
title	Juniper NSM Servers < 2012.1 Multiple Vulnerabilities

Oval

accepted

2014-06-09T04:00:06.911-04:00

class

vulnerability

contributors

name Yuzheng Zhou
organization Opsware, Inc.
name Jerome Athias
organization McAfee, Inc.

definition_extensions

comment Solaris 9 (SPARC) is installed
oval oval:org.mitre.oval:def:1457
comment Solaris 9 (x86) is installed
oval oval:org.mitre.oval:def:1683
comment Solaris 10 (SPARC) is installed
oval oval:org.mitre.oval:def:1440
comment Solaris 10 (x86) is installed
oval oval:org.mitre.oval:def:1926

description

scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.

family

unix

oval:org.mitre.oval:def:1138

status

accepted

submitted

2007-06-28T09:00:00.000-04:00

title

Security Vulnerability Relating to scp(1) Command May Allow Attackers to Execute Arbitrary Commands

version

accepted

2013-04-29T04:23:40.838-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.

family

unix

oval:org.mitre.oval:def:9962

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.

version

Redhat

advisories

bugzilla

id	170568
title	add audit message to sshd

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment openssh-clients is earlier than 0:3.9p1-8.RHEL4.12
oval oval:com.redhat.rhsa:tst:20060044001
comment openssh-clients is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060044002

AND

comment openssh-askpass-gnome is earlier than 0:3.9p1-8.RHEL4.12
oval oval:com.redhat.rhsa:tst:20060044003
comment openssh-askpass-gnome is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060044004

AND
comment openssh-server is earlier than 0:3.9p1-8.RHEL4.12
oval oval:com.redhat.rhsa:tst:20060044005
comment openssh-server is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060044006
AND
comment openssh-askpass is earlier than 0:3.9p1-8.RHEL4.12
oval oval:com.redhat.rhsa:tst:20060044007
comment openssh-askpass is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060044008
AND
comment openssh is earlier than 0:3.9p1-8.RHEL4.12
oval oval:com.redhat.rhsa:tst:20060044009
comment openssh is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060044010

rhsa

id	RHSA-2006:0044
released	2006-03-07
severity	Low
title	RHSA-2006:0044: openssh security update (Low)

rhsa
id RHSA-2006:0298
rhsa
id RHSA-2006:0698

rpms

openssh-0:3.9p1-8.RHEL4.12
openssh-askpass-0:3.9p1-8.RHEL4.12
openssh-askpass-gnome-0:3.9p1-8.RHEL4.12
openssh-clients-0:3.9p1-8.RHEL4.12
openssh-debuginfo-0:3.9p1-8.RHEL4.12
openssh-server-0:3.9p1-8.RHEL4.12
openssh-0:3.6.1p2-33.30.9
openssh-askpass-0:3.6.1p2-33.30.9
openssh-askpass-gnome-0:3.6.1p2-33.30.9
openssh-clients-0:3.6.1p2-33.30.9
openssh-debuginfo-0:3.6.1p2-33.30.9
openssh-server-0:3.6.1p2-33.30.9
openssh-0:3.1p1-21
openssh-askpass-0:3.1p1-21
openssh-askpass-gnome-0:3.1p1-21
openssh-clients-0:3.1p1-21
openssh-server-0:3.1p1-21

Seebug

bulletinFamily	exploit
description	CVE ID:CVE-2006-0225 CNCVE ID:CNCVE-20060225 Avaya Call Management System是一款Avaya的运营效率解决方案，提供集成的分析与报告。运行在Sun Solaris上的CMS和IR应用程序处理scp命令存在输入验证问题，本地攻击者可以利用漏洞以用户特权执行任意命令。目前没有详细漏洞细节提供。 0 Avaya Call Management System (CMS) 可参考如下安全公告获得补丁信息： <a href="http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm" target="_blank">http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm</a>
id	SSV:1979
last seen	2017-11-19
modified	2007-07-10
published	2007-07-10
reporter	Root
title	Avaya CMS / IR Solaris scp命令行shell命令注入漏洞

Statements

contributor	Joshua Bressers
lastmodified	2009-09-09
organization	Red Hat
statement	This issue was addressed in Red Hat Enterprise Linux 2.1, 3 and 4: https://rhn.redhat.com/errata/CVE-2006-0225.html https://www.redhat.com/security/data/cve/CVE-2006-0225.html Issue was fixed upstream in version 4.3. The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw.

Summary

Vulnerable Configurations

Nessus

Oval

Redhat

Seebug

Statements

References