Vulnerabilities > CVE-2008-3259 - Information Exposure vulnerability in Openbsd Openssh

047910
CVSS 1.2 - LOW
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
local
high complexity
openbsd
CWE-200
nessus

Summary

OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform.

Vulnerable Configurations

Part Description Count
Application
Openbsd
154

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyMisc.
    NASL idOPENSSH_51.NASL
    descriptionAccording to its banner, the version of SSH installed on the remote host is older than 5.1 and may allow a local user to hijack the X11 forwarding port. The application improperly sets the
    last seen2020-06-01
    modified2020-06-02
    plugin id44080
    published2011-10-04
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44080
    titleOpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44080);
      script_version("1.6");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2008-3259");
      script_bugtraq_id(30339);
    
      script_name(english:"OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking");
      script_summary(english:"Checks OpenSSH server version");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote SSH service may be affected by an X11 forwarding port
    hijacking vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of SSH installed on the remote
    host is older than 5.1 and may allow a local user to hijack the X11
    forwarding port.  The application improperly sets the 'SO_REUSEADDR'
    socket option when the 'X11UseLocalhost' configuration option is
    disabled.
    
    Note that most operating systems, when attempting to bind to a port
    that has previously been bound with the 'SO_REUSEADDR' option, will
    check that either the effective user-id matches the previous bind
    (common BSD-derived systems) or that the bind addresses do not overlap
    (Linux and Solaris).  This is not the case with other operating
    systems such as HP-UX.");
      script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/txt/release-5.1");
      script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH version 5.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(200);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh", 22);
    
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    # Check the version in the backported banner.
    match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
    if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+".");
    version = match[1];
    
    match = eregmatch(string:version, pattern:'^([0-9.]+)');
    if (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway
      exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');
    
    ver = match[1];
    fix = '5.1';
    
    if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix + '\n';
        security_note(port:port, extra:report);
      }
      else security_note(port);
      exit(0);
    }
    else exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+".");
    
  • NASL familyAIX Local Security Checks
    NASL idAIX_OPENSSH_ADVISORY.NASL
    descriptionThe version of OpenSSH running on the remote host is affected by the following vulnerabilities : - X11 man-in-the-middle attack: When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap. When the sshd_config(5) option X11UseLocalhost has been set to
    last seen2020-06-01
    modified2020-06-02
    plugin id73557
    published2014-04-16
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73557
    titleAIX OpenSSH Advisory: openssh_advisory.asc
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text in the description was extracted from AIX Security
    # Advisory openssh_advisory.asc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73557);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/16 14:13:03");
    
      script_cve_id("CVE-2008-3259", "CVE-2008-5161");
      script_bugtraq_id(30339, 32319);
      script_xref(name:"CERT", value:"958563");
    
      script_name(english:"AIX OpenSSH Advisory: openssh_advisory.asc");
      script_summary(english:"Checks the version of the openssh client and server packages");
    
      script_set_attribute(attribute:"synopsis", value:"The remote AIX host is running a vulnerable version of OpenSSH.");
      script_set_attribute(attribute:"description", value:
    "The version of OpenSSH running on the remote host is affected by the
    following vulnerabilities :
    
      - X11 man-in-the-middle attack:
        When attempting to bind(2) to a port that has previously
        been bound with SO_REUSEADDR set, most operating systems
        check that either the effective user-id matches the
        previous bind (common on BSD-derived systems) or that
        the bind addresses do not overlap. When the
        sshd_config(5) option X11UseLocalhost has been set to
        'no' - an attacker may establish a more-specific bind,
        which will be used in preference to sshd's wildcard
        listener. (CVE-2008-3259)
    
      - Plaintext Recovery Attack Against SSH:
        If exploited, this attack can potentially allow an
        attacker to recover up to 32 bits of plaintext from an
        arbitrary block of ciphertext from a connection secured
        using the SSH protocol in the standard configuration.
        If OpenSSH is used in the standard configuration, then
        the attacker's success probability for recovering 32
        bits of plaintext is 2^{-18}. A variant of the attack
        against OpenSSH in the standard configuration can
        verifiably recover 14 bits of plaintext with probability
        2^{-14}. The success probability of the attack for other
        implementations of SSH is not known. (CVE-2008-5161)");
      script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/openssh_advisory.asc");
      script_set_attribute(attribute:"see_also", value:"http://www.openssh.org/txt/cbc.adv");
      script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-5.1");
      script_set_attribute(attribute:"see_also", value:"https://sourceforge.net/projects/openssh-aix/files/");
      script_set_attribute(attribute:"solution", value:
    "A fix is available for AIX versions 5.3 and 6.1, and it can be
    downloaded from the OpenSSH sourceforge website for the AIX release.
    There is no fix for AIX version 5.2.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(200);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/16");
    
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.");
      script_family(english:"AIX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");
    
      exit(0);
    }
    
    
    include("aix.inc");
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    oslevel = get_kb_item_or_exit("Host/AIX/version");
    if ( oslevel != "AIX-5.2" && oslevel != "AIX-5.3" && oslevel != "AIX-6.1" )
    {
      oslevel = ereg_replace(string:oslevel, pattern:"-", replace:" ");
      audit(AUDIT_OS_NOT, "AIX 5.2 / 5.3 / 6.1", oslevel);
    }
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    flag = 0;
    
    if (aix_check_package(release:"5.2", package:"openssh.base.client", minpackagever:"0.0.0.0", maxpackagever:"6.0.0.0", fixpackagever:"Special") > 0) flag++;
    if (aix_check_package(release:"5.2", package:"openssh.base.server", minpackagever:"0.0.0.0", maxpackagever:"6.0.0.0", fixpackagever:"Special") > 0) flag++;
    if (aix_check_package(release:"5.3", package:"openssh.base.client", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
    if (aix_check_package(release:"5.3", package:"openssh.base.server", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
    if (aix_check_package(release:"6.1", package:"openssh.base.client", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
    if (aix_check_package(release:"6.1", package:"openssh.base.server", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
    
    if (flag)
    {
      # Disassemble and reassemble aix_report_get(), the 5.2 version has no fix and requires special reporting
      curr_report = aix_report_get();
      lines = split(curr_report, sep:'\n', keep:0);
      new_report = "";
      foreach currline (lines)
      {
        new_line = ereg_replace(string:currline, pattern:"Should be : openssh\.base\.(client|server)\.Special", replace:"OpenSSH on AIX version 5.2 has no fix for this issue.");
        new_report += new_line + '\n';
      }
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : new_report
      );
    }
    else
    {
      tested = aix_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh.base.client / openssh.base.server");
    }
    
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(55992);
      script_version("1.17");
      script_cvs_date("Date: 2018/07/31 17:27:54");
    
      script_cve_id(
        "CVE-2000-0525",
        "CVE-2000-1169",
        "CVE-2001-0361",
        "CVE-2001-0529",
        "CVE-2001-0572",
        "CVE-2001-0816",
        "CVE-2001-0872",
        "CVE-2001-1380",
        "CVE-2001-1382",
        "CVE-2001-1459",
        "CVE-2001-1507",
        "CVE-2001-1585",
        "CVE-2002-0083",
        "CVE-2002-0575",
        "CVE-2002-0639",
        "CVE-2002-0640",
        "CVE-2002-0765",
        "CVE-2003-0190",
        "CVE-2003-0386",
        "CVE-2003-0682",
        "CVE-2003-0693",
        "CVE-2003-0695",
        "CVE-2003-0786",
        "CVE-2003-0787",
        "CVE-2003-1562",
        "CVE-2004-0175",
        "CVE-2004-1653",
        "CVE-2004-2069",
        "CVE-2004-2760",
        "CVE-2005-2666",
        "CVE-2005-2797",
        "CVE-2005-2798",
        "CVE-2006-0225",
        "CVE-2006-4924",
        "CVE-2006-4925",
        "CVE-2006-5051",
        "CVE-2006-5052",
        "CVE-2006-5229",
        "CVE-2006-5794",
        "CVE-2007-2243",
        "CVE-2007-2768",
        "CVE-2007-3102",
        "CVE-2007-4752",
        "CVE-2008-1483",
        "CVE-2008-1657",
        "CVE-2008-3259",
        "CVE-2008-4109",
        "CVE-2008-5161"
      );
      script_bugtraq_id(32319);
      script_xref(name:"CERT", value:"958563");
    
      script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
      script_summary(english:"Checks SSH banner");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The SSH service running on the remote host has an information
    disclosure vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of SunSSH running on the remote host has an information
    disclosure vulnerability.  A design flaw in the SSH specification
    could allow a man-in-the-middle attacker to recover up to 32 bits of
    plaintext from an SSH-protected connection in the standard
    configuration.  An attacker could exploit this to gain access to
    sensitive information.
    
    Note that this version of SunSSH is also prone to several additional
    issues but Nessus did not test for them." );
    
      # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
      # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
      script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
      script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
      script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
      script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
      script_set_attribute(attribute:"plugin_type",value:"remote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/" + port);
    
    # Check that we're using SunSSH.
    if ('sun_ssh' >!< tolower(banner))
      exit(0, "The SSH service on port " + port + " is not SunSSH.");
    
    # Check the version in the banner.
    match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
    if (isnull(match))
      exit(1, "Could not parse the version string from the banner on port " + port + ".");
    else
      version = match[1];
    
    # the Oracle (Sun) blog above explains how the versioning works. we could
    # probably explicitly check for each vulnerable version if it came down to it
    if (
      ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
      version == '1.2'
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 1.1.1 / 1.3\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
    

Statements

contributorTomas Hoger
lastmodified2008-07-23
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.