Signature Detail

SCAN: Core Impact OpenSSH Channel Exploit

This signature detects attempts by CORE Impact to exploit a known vulnerability in OpenSSH versions between 2.0 and 3.0.2. There is an off-by-one error in the implementation of the channel feature, which could provide a remote attacker complete control of the server as root.

Extended Description

OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems. A vulnerability has been announced in some versions of OpenSSH. An off-by-one error occurs in the channel code. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer. Administrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately.

Affected Products

• OpenBSD 2.8.0
• OpenSSH 2.1.0
• OpenSSH 2.1.1
• OpenSSH 2.2.0
• OpenSSH 2.3.0
• OpenSSH 2.5.0
• OpenSSH 2.5.1
• OpenSSH 2.5.2
• OpenSSH 2.9.0
• OpenSSH 2.9.0 P1
• OpenSSH 2.9.0 P2
• OpenSSH 2.9.9
• OpenSSH 3.0.1
• OpenSSH 3.0.2
• OpenSSH 3.0.2 P1

References

• BugTraq: 4241
• CVE: CVE-2002-0083
• URL: http://www.openbsd.org/advisories/ssh_channelalloc.txt