ID CVE-2002-0083
Summary Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.
References
Vulnerable Configurations
  • cpe:2.3:a:immunix:immunix:7.0
    cpe:2.3:a:immunix:immunix:7.0
  • MandrakeSoft Mandrake Single Network Firewall 7.2
    cpe:2.3:a:mandrakesoft:mandrake_single_network_firewall:7.2
  • OpenBSD OpenSSH 2.1
    cpe:2.3:a:openbsd:openssh:2.1
  • OpenBSD OpenSSH 2.1.1
    cpe:2.3:a:openbsd:openssh:2.1.1
  • OpenBSD OpenSSH 2.2
    cpe:2.3:a:openbsd:openssh:2.2
  • OpenBSD OpenSSH 2.3
    cpe:2.3:a:openbsd:openssh:2.3
  • OpenBSD OpenSSH 2.5
    cpe:2.3:a:openbsd:openssh:2.5
  • OpenBSD OpenSSH 2.5.1
    cpe:2.3:a:openbsd:openssh:2.5.1
  • OpenBSD OpenSSH 2.5.2
    cpe:2.3:a:openbsd:openssh:2.5.2
  • OpenBSD OpenSSH 2.9
    cpe:2.3:a:openbsd:openssh:2.9
  • OpenBSD OpenSSH 2.9.9
    cpe:2.3:a:openbsd:openssh:2.9.9
  • OpenBSD OpenSSH 2.9 p1
    cpe:2.3:a:openbsd:openssh:2.9p1
  • OpenBSD OpenSSH 2.9 p2
    cpe:2.3:a:openbsd:openssh:2.9p2
  • OpenBSD OpenSSH 3.0.1
    cpe:2.3:a:openbsd:openssh:3.0.1
  • OpenPKG 1.0
    cpe:2.3:a:openpkg:openpkg:1.0
  • Conectiva Conectiva Linux 5.0
    cpe:2.3:o:conectiva:linux:5.0
  • Conectiva Conectiva Linux 5.1
    cpe:2.3:o:conectiva:linux:5.1
  • Conectiva Conectiva Linux 6.0
    cpe:2.3:o:conectiva:linux:6.0
  • Conectiva Conectiva Linux 7.0
    cpe:2.3:o:conectiva:linux:7.0
  • Conectiva Conectiva Linux ecommerce
    cpe:2.3:o:conectiva:linux:ecommerce
  • Conectiva Conectiva Linux graficas
    cpe:2.3:o:conectiva:linux:graficas
  • Engarde Secure Linux 1.0.1
    cpe:2.3:o:engardelinux:secure_linux:1.0.1
  • MandrakeSoft Mandrake Linux 7.1
    cpe:2.3:o:mandrakesoft:mandrake_linux:7.1
  • MandrakeSoft Mandrake Linux 7.2
    cpe:2.3:o:mandrakesoft:mandrake_linux:7.2
  • MandrakeSoft Mandrake Linux 8.0
    cpe:2.3:o:mandrakesoft:mandrake_linux:8.0
  • cpe:2.3:o:mandrakesoft:mandrake_linux:8.0:-:ppc
    cpe:2.3:o:mandrakesoft:mandrake_linux:8.0:-:ppc
  • MandrakeSoft Mandrake Linux 8.1
    cpe:2.3:o:mandrakesoft:mandrake_linux:8.1
  • MandrakeSoft Mandrake Linux Corporate Server 1.0.1
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:1.0.1
  • Red Hat Linux 7.0
    cpe:2.3:o:redhat:linux:7.0
  • Red Hat Linux 7.1
    cpe:2.3:o:redhat:linux:7.1
  • Red Hat Linux 7.2
    cpe:2.3:o:redhat:linux:7.2
  • cpe:2.3:o:suse:suse_linux:6.4:-:i386
    cpe:2.3:o:suse:suse_linux:6.4:-:i386
  • cpe:2.3:o:suse:suse_linux:6.4:-:ppc
    cpe:2.3:o:suse:suse_linux:6.4:-:ppc
  • SuSE SuSE Linux 6.4 alpha
    cpe:2.3:o:suse:suse_linux:6.4:alpha
  • cpe:2.3:o:suse:suse_linux:7.0:-:i386
    cpe:2.3:o:suse:suse_linux:7.0:-:i386
  • cpe:2.3:o:suse:suse_linux:7.0:-:ppc
    cpe:2.3:o:suse:suse_linux:7.0:-:ppc
  • cpe:2.3:o:suse:suse_linux:7.0:-:sparc
    cpe:2.3:o:suse:suse_linux:7.0:-:sparc
  • SuSE SuSE Linux 7.0 alpha
    cpe:2.3:o:suse:suse_linux:7.0:alpha
  • cpe:2.3:o:suse:suse_linux:7.1:-:spa
    cpe:2.3:o:suse:suse_linux:7.1:-:spa
  • cpe:2.3:o:suse:suse_linux:7.1:-:sparc
    cpe:2.3:o:suse:suse_linux:7.1:-:sparc
  • cpe:2.3:o:suse:suse_linux:7.1:-:x86
    cpe:2.3:o:suse:suse_linux:7.1:-:x86
  • SuSE SuSE Linux 7.1 alpha
    cpe:2.3:o:suse:suse_linux:7.1:alpha
  • cpe:2.3:o:suse:suse_linux:7.2:-:i386
    cpe:2.3:o:suse:suse_linux:7.2:-:i386
  • cpe:2.3:o:suse:suse_linux:7.3:-:i386
    cpe:2.3:o:suse:suse_linux:7.3:-:i386
  • cpe:2.3:o:suse:suse_linux:7.3:-:ppc
    cpe:2.3:o:suse:suse_linux:7.3:-:ppc
  • cpe:2.3:o:suse:suse_linux:7.3:-:sparc
    cpe:2.3:o:suse:suse_linux:7.3:-:sparc
  • Trustix Secure Linux 1.1
    cpe:2.3:o:trustix:secure_linux:1.1
  • Trustix Secure Linux 1.2
    cpe:2.3:o:trustix:secure_linux:1.2
  • Trustix Secure Linux 1.5
    cpe:2.3:o:trustix:secure_linux:1.5
CVSS
Base: 10.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability. CVE-2002-0083. Remote exploit for unix platform
id EDB-ID:21314
last seen 2016-02-02
modified 2002-03-07
published 2002-03-07
reporter Morgan
source https://www.exploit-db.com/download/21314/
title OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2002-019.NASL
    description Joost Pol found a bug in the channel code of all versions of OpenSSH from 2.0 to 3.0.2. This bug can allow authenticated users with an existing account on the vulnerable system to obtain root privilege or by a malicious server attacking a vulnerable client. OpenSSH 3.1 is not vulnerable to this problem. The provided packages fix this vulnerability.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 13927
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13927
    title Mandrake Linux Security Advisory : openssh (MDKSA-2002:019)
  • NASL family Misc.
    NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL
    description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 55992
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55992
    title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
  • NASL family Gain a shell remotely
    NASL id OPENSSH_CHANNEL.NASL
    description You are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 10883
    published 2002-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=10883
    title OpenSSH < 3.1 Channel Code Off by One Remote Privilege Escalation
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-119.NASL
    description Joost Pol reports that OpenSSH versions 2.0 through 3.0.2 have an off-by-one bug in the channel allocation code. This vulnerability can be exploited by authenticated users to gain root privilege or by a malicious server exploiting a client with this bug.
    last seen 2018-07-10
    modified 2018-07-09
    plugin id 14956
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14956
    title Debian DSA-119-1 : ssh -- local root exploit, remote client exploit
redhat via4
advisories
rhsa
id RHSA-2002:043
refmap via4
bid 4241
bugtraq
  • 20020307 OpenSSH Security Advisory (adv.channelalloc)
  • 20020307 [PINE-CERT-20020301] OpenSSH off-by-one
  • 20020308 [OpenPKG-SA-2002.002] OpenPKG Security Advisory (openssh)
  • 20020310 OpenSSH 2.9.9p2 packages for Immunix 6.2 with latest fix
  • 20020311 TSLSA-2002-0039 - openssh
  • 20020328 OpenSSH channel_lookup() off by one exploit
caldera
  • CSSA-2002-012.0
  • CSSA-2002-SCO.10
  • CSSA-2002-SCO.11
conectiva CLA-2002:467
confirm http://www.openbsd.org/advisories/ssh_channelalloc.txt
debian DSA-119
engarde ESA-20020307-007
freebsd FreeBSD-SA-02:13
hp HPSBTL0203-029
mandrake MDKSA-2002:019
netbsd NetBSD-SA2002-004
osvdb 730
suse SuSE-SA:2002:009
vulnwatch 20020307 [VulnWatch] [PINE-CERT-20020301] OpenSSH off-by-one
xf openssh-channel-error(8383)
Last major update 17-10-2016 - 22:16
Published 15-03-2002 - 00:00
Back to Top