cbcvebase.
CVE-2002-0640
published 2002-07-03

CVE-2002-0640: Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge…

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
27.32%
97.8th percentile
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
debianopenssh< openssh 1:3.4 (bookworm)openssh 1:3.4 (bookworm)
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh
openbsdopenssh

Detection & IOCsextracted from sources · hover to see the quote

commandnum_prompts = 1073741824 + 1024;
commandfor( i = 0; i < 1045; i++ ) packet_put_cstring( "xxxxxxxxxx" );
commandpacket_put_string( shellcode, 2047 );
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21579.tar.gz
filenameopenssh-3.2.2p1.tar.gz
bytes
0x6E69622F (little-endian '/bin')
bytes
0x0068732f (little-endian '/sh\0')
  • Exploitation requires either PAMAuthenticationViaKbdInt or ChallengeResponseAuthentication to be enabled in sshd_config; audit configs for these directives as a detection/triage signal.
  • Successful exploitation results in a bind shell listening on TCP port 128; detect unexpected listening services on port 128 post-SSH connection attempt.
  • Exploit targets OpenSSH 2.3.1 through 3.3 (and reportedly still present in 3.4p1 and 3.5p1); flag SSH banner strings matching these version ranges.
  • ·Vulnerability only exists when sshd is compiled with BSD_AUTH or SKEY support, or when PAMAuthenticationViaKbdInt / ChallengeResponseAuthentication is enabled; systems without these compile-time or runtime options are not affected.
  • ·Enabling privilege-separation (UsePrivilegeSeparation yes) in sshd_config is a documented workaround that limits exploitability even on vulnerable versions.
  • ·Red Hat Enterprise Linux 2.1 shipped OpenSSH not compiled with S/Key or BSD_AUTH support, making those systems not vulnerable.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.