CVE-2001-0144
published 2001-03-12CVE-2001-0144: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.
PriorityP344critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
32.42%
98.1th percentile
CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.
Affected
118 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
| cisco | catos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit triggers on the 2nd SSH packet (count == 2); monitor for anomalously large SSH packets sent early in the SSH1 handshake that could indicate integer-overflow exploitation of the CRC-32 compensation attack detector. ↗
- →Post-exploitation, the shellcode opens a bind shell on TCP port 36864; scan for or alert on unexpected listening services on this port following SSH1 connections. ↗
- →The exploit is delivered via a patched SSH client binary (PATH_SSH = "./ssh"); look for non-standard SSH client binaries in local directories being used to connect to SSH servers. ↗
- →Exploitation targets SSH protocol version 1 (SSH1); blocking or alerting on SSHv1 negotiation at the network perimeter will prevent this attack vector. ↗
- ·Cisco 11000 Content Service Switch family is vulnerable; only specific WebNS versions are safe — patch to 4.01 B42s, 4.10 22s, 5.0 B11s, or 5.01 B6s or later. ↗
- ·NetScreen ScreenOS is not directly exploitable for RCE but the exploit will crash devices running vulnerable SCS (SSHv1) versions, causing a DoS; SCS is disabled by default. ↗
- ·Secure Computing SafeWord Agent for SSH is also vulnerable as it is based on a vulnerable SSH version. ↗
- ·Both SSH servers AND clients are affected; the integer overflow can be triggered against either end of the connection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mw6p-g59x-wqvw: Unspecified vulnerability in SSHield 1
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-4654 [CRITICAL] GHSA-mw6p-g59x-wqvw: Unspecified vulnerability in SSHield 1
Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024.
GHSA
GHSA-98x9-358f-pg9v: Cisco IOS 12
ghsa_unreviewed·2022-04-30·CVSS 10.0
CVE-2002-1024 [CRITICAL] GHSA-98x9-358f-pg9v: Cisco IOS 12
Cisco IOS 12.0 through 12.2, when supporting SSH, allows remote attackers to cause a denial of service (CPU consumption) via a large packet that was designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144).
GHSA
GHSA-xrvw-f7p8-2hqm: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer over
ghsa_unreviewed·2022-04-30
CVE-2001-0144 [HIGH] GHSA-xrvw-f7p8-2hqm: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer over
CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.
GHSA
GHSA-8262-f9hh-4786: Netscreen running ScreenOS 4
ghsa_unreviewed·2022-04-30·CVSS 10.0
CVE-2002-1547 [CRITICAL] GHSA-8262-f9hh-4786: Netscreen running ScreenOS 4
Netscreen running ScreenOS 4.0.0r6 and earlier allows remote attackers to cause a denial of service via a malformed SSH packet to the Secure Command Shell (SCS) management interface, as demonstrated via certain CRC32 exploits, a different vulnerability than CVE-2001-0144.
No detection rules found.
Exploit-DB
SSH (x2) - Remote Command Execution
exploitdb·2002-05-01
CVE-2001-0144 SSH (x2) - Remote Command Execution
SSH (x2) - Remote Command Execution
---
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/349.tgz (x2.tgz)
# milw0rm.com [2002-05-01]
Exploit-DB
SSH 1.2.x - CRC-32 Compensation Attack Detector
exploitdb·2001-02-08
CVE-2001-0144 SSH 1.2.x - CRC-32 Compensation Attack Detector
SSH 1.2.x - CRC-32 Compensation Attack Detector
---
// source: https://www.securityfocus.com/bid/2347/info
Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.
This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).
As a result, future calls to malloc()
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=98168366406903&w=2http://razor.bindview.com/publish/advisories/adv_ssh1crc.htmlhttp://www.cert.org/advisories/CA-2001-35.htmlhttp://www.osvdb.org/503http://www.osvdb.org/795http://www.securityfocus.com/bid/2347https://exchange.xforce.ibmcloud.com/vulnerabilities/6083http://marc.info/?l=bugtraq&m=98168366406903&w=2http://razor.bindview.com/publish/advisories/adv_ssh1crc.htmlhttp://www.cert.org/advisories/CA-2001-35.htmlhttp://www.osvdb.org/503http://www.osvdb.org/795http://www.securityfocus.com/bid/2347https://exchange.xforce.ibmcloud.com/vulnerabilities/6083
2001-03-12
Published