cbcvebase.
CVE-2001-0144
published 2001-03-12

CVE-2001-0144: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.

PriorityP344critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
32.42%
98.1th percentile
CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.

Affected

118 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos
ciscocatos

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/code
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/349.tgz
  • Exploit triggers on the 2nd SSH packet (count == 2); monitor for anomalously large SSH packets sent early in the SSH1 handshake that could indicate integer-overflow exploitation of the CRC-32 compensation attack detector.
  • Post-exploitation, the shellcode opens a bind shell on TCP port 36864; scan for or alert on unexpected listening services on this port following SSH1 connections.
  • The exploit is delivered via a patched SSH client binary (PATH_SSH = "./ssh"); look for non-standard SSH client binaries in local directories being used to connect to SSH servers.
  • Exploitation targets SSH protocol version 1 (SSH1); blocking or alerting on SSHv1 negotiation at the network perimeter will prevent this attack vector.
  • ·Cisco 11000 Content Service Switch family is vulnerable; only specific WebNS versions are safe — patch to 4.01 B42s, 4.10 22s, 5.0 B11s, or 5.01 B6s or later.
  • ·NetScreen ScreenOS is not directly exploitable for RCE but the exploit will crash devices running vulnerable SCS (SSHv1) versions, causing a DoS; SCS is disabled by default.
  • ·Secure Computing SafeWord Agent for SSH is also vulnerable as it is based on a vulnerable SSH version.
  • ·Both SSH servers AND clients are affected; the integer overflow can be triggered against either end of the connection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.