发布时间 :2001-08-14 00:00:00
修订时间 :2008-09-05 16:24:23

[原文]SSH Secure Shell 3.0.0 on Unix systems does not properly perform password authentication to the sshd2 daemon, which allows local users to gain access to accounts with short password fields, such as locked accounts that use "NP" in the password field.


        Unix系统的SSH Secure Shell 3.0.0版本不能正确地对sshd2守护程序执行密码认证,本地用户可以获得带有短密码字段的账号的使用权,例如在密码字段中使用"NP"的锁定账户。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  ssh-password-length-unauth-access(6868)
(UNKNOWN)  BID  3078

- 漏洞信息

高危 输入验证
2001-08-14 00:00:00 2006-08-23 00:00:00
        Unix系统的SSH Secure Shell 3.0.0版本不能正确地对sshd2守护程序执行密码认证,本地用户可以获得带有短密码字段的账号的使用权,例如在密码字段中使用"NP"的锁定账户。

- 公告与补丁

        A vendor-supplied update that rectifies this issue is available:
        SSH Communications Security SSH2 3.0

- 漏洞信息 (21021)

SSH2 3.0 Short Password Login Vulnerability (EDBID:21021)
unix remote
2001-07-21 Verified
0 hypoclear
N/A [点击下载]

An input validation error exists in version 3.0.0 of the SSH daemon (sshd) running on Unix platforms.

It may be possible for remote users to log in to accounts for which there are two or less characters in the password field of the system password file. Due to the nature of the problem, it may be possible to log in to a vulnerable system using such an account with any password. This may lead to further system compromise. 

# A local SSH 3.0.0 vulnerability scanner for the 
# SSH Short Password Login Vulnerability, BugtraqID: 3078
# Note: You must have superuser access on the system to scan it.
# usage: ./ <host>
#        Optional: -e turn off error
#                  -h specify a different /etc/shadow file
# (Options must come before host name)
# Written by hypoclear -
# This and all of my programs fall under my disclaimer, which
# can be found at:

use IO::Socket; use Getopt::Std;

die "\nusage: $0 <host>\n\tOptional: -e turn off error\n\t\t  -h specify a different /etc/shadow file\n\n" unless @ARGV > 0;
if (!defined $opt_h)
 { $opt_h = "/etc/shadow";

$out = &bannerGrab($ARGV[0],22);
sysread $out, $message,100;
close $out;

if (($message =~ /3.0.0/) || (defined $opt_e))
 { print "Running SSH 3.0.0, checking for vulnerabilities...\n\n";
   open(SHADOW, "<$opt_h") || die "Cannot open $opt_h!\nNote: You must have superuser access to run this script.\n\n";
     { $name = $_;
       $name =~ s/:.*$//;
       $_ =~ s/^.*?\://;
       $_ =~ s/:.*$//;
       $name =~ s/\s//g; $_=~s/\s//g;
       push(@lnnum,$cnt++); $cnt++;

   foreach $hash (@hash)
     { @chars = split(//,$hash);
       foreach $char (@chars)
         { $count++;
       if ($count <= 2)
        { print "$name[$line]\t(line $lnnum[$line]) may be vulnerable!\n";
          $vulnFlag = 1;
       $count=0; $line++;
   if ($vulnFlag != 1)
    { print "No accounts appear to be vulnerable.\n";
 { if (!defined $opt_e)
    { print "You are not running SSH 3.0.0.\n";
      die "If you feel that this is an error run with the -e option.\n";
print "\n";

sub bannerGrab
{ $host  = gethostbyname($_[0]) || warn "cannot connect to $ARGV[0]\n";
  $port  = getservbyport($_[1], 'tcp'); 
  $haddr = sockaddr_in($_[1], $host); 
  socket(OUT, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || warn "$!\n"; 
  connect(OUT, $haddr) ;
  return OUT; 


- 漏洞信息

SSH Locked Account Remote Authentication Bypass
Local Access Required, Remote / Network Access Authentication Management, Input Manipulation, Misconfiguration
Loss of Confidentiality
Exploit Public Vendor Verified

- 漏洞描述's SSH Communications software contains a flaw that may allow a malicious user to log in to any account with a short password without needing to authenticate. The issue is triggered when the account has a password that is two characters or shorter. It is possible that the flaw may allow improper logins, resulting in a loss of confidentiality.

- 时间线

2001-07-21 Unknow
2001-07-20 Unknow

- 解决方案

Upgrade to version 3.0.1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Apply the vendor-supplied patch. Disable password authentication and use another supported form of authentication (public key, SecurID, Kerberos, certificates, Smart Cards, host-based). Limit access to the sshd2 daemon to users with entries in the /etc/passwd and /etc/shadow which exceed two characters, by using the AllowUsers, AllowGroups, DenyUsers, and DenyGroups keywords in the /etc/ssh2/sshd2_config file. Assign a valid password of more than two characters for each account. Assigning a password to some system accounts can cause problems on some operating systems, so this workaround is not recommended by the vendor. SSH Secure Shell 3.0.0 on any Unix or Linux system that uses crypt() for password encryption is vulnerable. This includes most Unix and Linux systems. SSH Secure Shell 2.3 and SSH Secure Shell 2.4 on HP-UX 10.20 and HP-UX 11.00 systems running in TCB mode are also vulerable. Any operating system that does not use the crypt() hash function for password encryption is not vulnerable.

- 相关参考

- 漏洞作者