795 : Multiple Vendor SSH CRC-32 detect_attack() Function Overflow
Printer | http://osvdb.org/795 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
9	1626	over 9 years ago	about 1 year ago	6 times	90%

Timeline

Disclosure Date	Exploit Publish Date
2001-02-08	2001-02-21

Keywords

Description

A remote overflow exists in SSH and OpenSSH and derived products. The implementation of SSH protocol version 1.5 fails to correctly calculate the range within deattack.c's detect_attack function, resulting in an integer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code as UID 0, resulting in a loss of confidentiality, integrity, and/or availability.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Upgrade to the appropriate version from your vendor; you must contact your vendor for the fixed version. It is usually also possible to correct the flaw by disabling support for version 1 of the SSH protocol in your configuration. Again, exact details will vary from vendor to vendor.

Products

Cisco Systems, Inc.	CatOS	6.2
	IOS	12.0
		12.1
		12.2
	PIX	5.2
	PIX	5.3
	WebNS	4.01
		4.10
		5.0
		5.01

F-Secure Corporation	F-Secure SSH	1.3.10
		1.3.5
		1.3.6
		1.3.7
		1.3.8
		1.3.9

OSSH

1.5.7

OpenSSH	OpenSSH	1.x
		2.0.x
		2.1.x
		2.2.x

SSH Communications Security	SSH Secure Shell	1.2.24
		1.2.25
		1.2.26
		1.2.27
		1.2.28
		1.2.29
		1.2.30
		1.2.31

References

CVE ID: 2001-0144 (see also: NVD)
Bugtraq ID: 2347
Milw0rm: 349
Exploit Database: 349
ISS X-Force ID: 6083
CERT VU: 945216
Vendor Specific Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-003.txt.asc http://archives.neohapsis.com/archives/freebsd/2001-02/0207.html
http://archives.neohapsis.com/archives/netbsd/2001-q1/0094.html
http://www.cisco.com/warp/public/707/cisco-sa-20010627-ssh.shtml
http://www.debian.org/security/2001/dsa-027
http://www.debian.org/security/2001/dsa-086
http://www.juniper.net/support/security/alerts/11_06_02.html
Generic Exploit URL: http://archives.neohapsis.com/archives/bugtraq/2001-02/0362.html
http://www.exploit-db.com/sploits/x2.tgz
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-11/0186.html
Other Advisory URL: http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm
http://www1.corest.com/common/showdoc.php?idxseccion=10&idx=81
CIAC Advisory: l-047 m-017

Tools & Filters

	10607 10972
Snort	1324 1326 1327
	1980

Credit

Michal Zalewski - lcamtufdione.ids.pl - Personal page

CVSSv2 Score

CVSSv2 Base Score = 10.0
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Timeline

Keywords

Description

Classification

Solution

Products

Cisco Systems, Inc.

CatOS

IOS

PIX

WebNS

F-Secure Corporation

F-Secure SSH

OSSH

OSSH

OpenSSH

OpenSSH

SSH Communications Security

SSH Secure Shell

References

Tools & Filters

Credit

CVSSv2 Score

Blogs

Comments