Search...

SSH Secure Shell without PTY Unspecified Privilege Escalation

2002-11-25T22:24:51

ID OSVDB:18240
Type osvdb
Reporter OSVDB
Modified 2002-11-25T22:24:51

Description

No description provided by the source

References:

Vendor Specific Advisory URL ISS X-Force ID: 10710 CVE-2002-1644 CERT VU: 740619 Bugtraq ID: 6247

JSON Vulners Source

Initial Source

{"type": "osvdb", "published": "2002-11-25T22:24:51", "href": "https://vulners.com/osvdb/OSVDB:18240", "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "ab10abb49fbf581fc2d903d192e308f6"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "56a3a62edda3dc13ac6854346f2a392a"}, {"key": "href", "hash": "d7d77fb889beeec1a4d67298ef2033b7"}, {"key": "modified", "hash": "f9838f6dfb1e40d7dc521e77c9635ae9"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "f9838f6dfb1e40d7dc521e77c9635ae9"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "942709e5e58cac81778990782f6df649"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "OSVDB", "title": "SSH Secure Shell without PTY Unspecified Privilege Escalation", "affectedSoftware": [], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1644"]}, {"type": "nessus", "idList": ["SSH_SETSID.NASL"]}], "modified": "2017-04-28T13:20:14"}, "vulnersScore": 7.5}, "references": [], "id": "OSVDB:18240", "hash": "2f6b1026a1aa43bebde59dc3398f65d4f0f91b812741374f8f24aaa82b0ea6ab", "lastseen": "2017-04-28T13:20:14", "cvelist": ["CVE-2002-1644"], "modified": "2002-11-25T22:24:51", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.ssh.com/company/newsroom/article/286/)\nISS X-Force ID: 10710\n[CVE-2002-1644](https://vulners.com/cve/CVE-2002-1644)\nCERT VU: 740619\nBugtraq ID: 6247\n"}

{"cve": [{"lastseen": "2017-07-11T11:14:12", "bulletinFamily": "NVD", "description": "SSH Secure Shell for Servers and SSH Secure Shell for Workstations 2.0.13 through 3.2.1, when running without a PTY, does not call setsid to remove the child process from the process group of the parent process, which allows attackers to gain certain privileges.", "modified": "2017-07-10T21:29:18", "published": "2002-11-25T00:00:00", "id": "CVE-2002-1644", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1644", "title": "CVE-2002-1644", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:45", "bulletinFamily": "scanner", "description": "According to its banner, the version of SSH Secure Shell running on the remote host is between 2.0.13 and 3.2.1. There is a bug in such versions that may allow a non-interactive shell session, such as used in scripts, to obtain higher privileges due to a flaw in the way setsid() is used.", "modified": "2018-07-30T00:00:00", "id": "SSH_SETSID.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11169", "published": "2002-11-25T00:00:00", "title": "SSH Secure Shell without PTY setsid() Function Privilege Escalation", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n#\n# Note: This is about SSH.com's SSH, not OpenSSH !!\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11169);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/07/30 15:31:32\");\n\n script_cve_id(\"CVE-2002-1644\");\n script_bugtraq_id(6247);\n\n script_name(english:\"SSH Secure Shell without PTY setsid() Function Privilege Escalation\");\n script_summary(english:\"Checks for the remote SSH version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SSH server is affected by a privilege escalation\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of SSH Secure Shell running on\nthe remote host is between 2.0.13 and 3.2.1. There is a bug in such\nversions that may allow a non-interactive shell session, such as used\nin scripts, to obtain higher privileges due to a flaw in the way\nsetsid() is used.\");\n # http://web.archive.org/web/20021207091314/http://www.ssh.com/company/newsroom/article/286/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7fe1d74\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to SSH Secure Shell 3.1.5 / 3.2.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/11/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Misc.\");\n\n script_dependencie(\"ssh_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_service(svc:\"ssh\", default:22, exit_on_fail:TRUE);\n\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\nbp_banner = tolower(get_backport_banner(banner:banner));\n\nif (\n !ereg(pattern:\"^ssh-[0-9]+\\.[0-9]+-[0-9]\", string:bp_banner) ||\n\n \"f-secure\" >< bp_banner ||\n \"tru64 unix\" >< bp_banner ||\n \"windows\" >< bp_banner\n) audit(AUDIT_NOT_LISTEN, \"SSH Secure Shell\", port);\n\ntype = get_kb_item(\"Host/OS/Type\");\nif (isnull(type) || type != \"general-purpose\") exit(0, \"The host's type is not general-purpose.\");\n\nitem = eregmatch(pattern:\"^ssh-[0-9]\\.[0-9]+-([0-9][^ ]+)\", string:banner);\nif (isnull(item)) exit(1, 'Failed to parse the banner from the SSH server listening on port ' + port + '.');\nversion = item[1];\n\nif (\n (\n ereg(pattern:\"^2\\..*$\", string:version) &&\n !ereg(pattern:\"^2\\.0\\.([0-9]|0[0-9]|1[0-2])([^0-9]|$)\", string:version)\n ) ||\n ereg(pattern:\"^3\\.(0\\..*|1\\.[0-4]|2\\.[0-1])([^0-9]|$)\", string:version)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 3.1.5 / 3.2.2' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"SSH\", port);\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}