cbcvebase.
CVE-2002-1059
published 2002-10-04

CVE-2002-1059: Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1…

PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.30%
99.0th percentile
Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1 protocol version string.

Affected

19 ranges
VendorProductVersion rangeFixed in
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt
van_dyke_technologiessecurecrt

Detection & IOCsextracted from sources · hover to see the quote

port9988
commandSSH-1.1-
commandSSH-1.1-OpenSSH_3.6.1p2
registry0x0041b3e0
processSecureCRT.exe
bytes
\xb8\x00\x03\xff\xe0
bytes
\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90
  • Detect oversized SSH1 protocol identifier strings (>~250 bytes) sent by a server to a client — the malicious payload begins with 'SSH-1.1-' followed by a long padding of repeated characters or shellcode.
  • Flag SSH1 server banner responses exceeding normal length (>50 bytes) on port 22 or 9988 directed at SecureCRT clients; the Metasploit module sends 243 bytes of random English text after the banner prefix.
  • Monitor for rogue SSH servers listening on non-standard port 9988 (used by both PoC exploits) that send SSH-1.x banner strings to connecting clients.
  • The exploit targets SecureCRT.exe version 3.4.4 with a hardcoded return address 0x0041b3e0; presence of this RET value in network traffic (little-endian: \xe0\xb3\x41\x00) within an SSH1 banner is a strong indicator of exploitation.
  • The EXITFUNC is set to 'process', meaning shellcode execution terminates the process; look for SecureCRT.exe crashing or spawning unexpected child processes after an SSH1 connection attempt.
  • ·The Metasploit module only has a single target (SecureCRT 3.4.4) with one hardcoded return address; other vulnerable versions (up to 4.0 Beta 2) are not covered and would require different RET values.
  • ·The payload space is limited to 400 bytes with null bytes as bad characters; shellcode must avoid \x00.
  • ·A stack adjustment of -3500 is required for the payload to execute correctly, which is an unusual and large negative adjustment that may affect reliability on different stack layouts.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.