Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2003-2018 Xue Yong ZhiSSH_KEYGEN.NASL
HistoryMar 10, 2003 - 12:00 a.m.

SSH ssh-keygen with Secure-RPC SUN-DES-1 Phrase Recovery

2003-03-1000:00:00
This script is Copyright (C) 2003-2018 Xue Yong Zhi
www.tenable.com
18
JSON

The remote host is running a version of SSH Communications Security SSH comprised between versions 1.2.27 and 1.2.30. With Secure-RPC, this version can allow local attackers to recover a SUN-DES-1 magic phrase generated by another user, which the attacker can use to decrypt that user’s private key file.

#
# This script was written by Xue Yong Zhi<[email protected]>
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title, family change (8/10/09)
# - Updated to use compat.inc (11/20/2009)


include("compat.inc");

if(description)
{
 script_id(11340);
 script_version ("1.16");
 script_cve_id("CVE-2001-0259");
 script_bugtraq_id(2222);
 
 script_name(english:"SSH ssh-keygen with Secure-RPC SUN-DES-1 Phrase Recovery");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote SSH server might allow a local user to recover a SUN-DES-1
passphrase." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of SSH Communications Security
SSH comprised between versions 1.2.27 and 1.2.30. 
 
With Secure-RPC, this version can allow local attackers to recover a
SUN-DES-1 magic phrase generated by another user, which the attacker
can use to decrypt that user's private key file." );
 script_set_attribute(attribute:"solution", value:
"Download and install the newest version of this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/10");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/01/16");
 script_cvs_date("Date: 2018/08/22 16:49:14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks for the remote SSH version");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Xue Yong Zhi");
 script_family(english:"Misc.");
 script_dependencie("ssh_detect.nasl");
 script_require_ports("Services/ssh", 22);
 exit(0);
}

#
# The script code starts here
#

include("backport.inc");
port = get_kb_item("Services/ssh");
if(!port)port = 22;

banner = get_kb_item("SSH/banner/" + port );
if ( ! banner ) exit(0);

banner = get_backport_banner(banner:banner);

#Looking for SSH product version number  < 1.2.30
if(ereg(string:banner, pattern:"SSH-[0-9]\.[0-9]+-1\.2\.([1-2][0-9]|30)[^0-9]*$", icase:TRUE))security_note(port);

Related

cert 1
cve 1
openvas 1
cert
cert
SSH1 may generate weak passphrase when using Secure RPC
2001-06-13 00:00:00
cve
cve
CVE-2001-0259
2001-06-02 04:00:00
openvas
openvas
SSH Secure-RPC Weak Encrypted Authentication
2005-11-03 00:00:00
JSON
Related for SSH_KEYGEN.NASL
cert1cve1openvas1