cbcvebase.
CVE-2002-1359
published 2002-12-23

CVE-2002-1359: Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or…

PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
80.23%
99.6th percentile
Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.

Affected

17 ranges
VendorProductVersion rangeFixed in
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
debianopenssh
fisshssh_client
intersoftsecurenetterm
netcompositeshellguard_ssh
pragma_systemssecureshell
puttyputty
puttyputty
puttyputty
winscpwinscp

Detection & IOCsextracted from sources · hover to see the quote

bytes
SSH-2.0-OpenSSH_3.6.1p2\r\n\x00\x00\x4e\xec\x01\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde
bytes
\x00\x00\x07\xde
  • The exploit acts as a rogue SSH server listening on port 22, sending a malformed SSH banner followed by oversized key-exchange fields to a connecting PuTTY 0.53 client. Detect inbound SSH connections where the server banner is 'SSH-2.0-OpenSSH_3.6.1p2' but the immediately following binary packet contains the magic bytes \x00\x00\x4e\xec\x01\x14.
  • The exploit payload structure repeatedly embeds the 4-byte sequence \x00\x00\x07\xde as a field-length delimiter within oversized comma-separated alphanumeric blocks. Presence of this pattern repeated multiple times within a single SSH packet is a strong indicator of SSHredder-style exploitation.
  • The attack targets PuTTY versions 0.53 and earlier. Monitor for PuTTY processes (putty.exe) connecting to untrusted SSH servers, especially where the SSH key-exchange packet size is abnormally large (indicated by the 0x4eec length field).
  • The malformed packets can be generated using the SSHredder test suite. Presence of SSHredder tool artifacts or traffic patterns on the network should be treated as active exploitation attempts against SSH implementations.
  • For Cisco IOS devices, the vulnerability is triggered by a malformed SSH packet requiring no authentication. Monitor for unexpected device reloads (DoS) on Cisco devices with SSH enabled, correlated with Cisco Bug IDs CSCdz60229, CSCdy87221, CSCdu75477, CSCdz62330, CSCdz66748.
  • Return addresses used in the Metasploit exploit for Windows targets: 0x77e14c29 (Win2000 SP4 EN), 0x76b43ae0 (WinXP SP2 EN), 0x76aa679b (Win2003 SP1 EN). These can be used as memory indicators in crash dumps or exploit traffic.
  • ·The SSH server in Cisco IOS is disabled by default; this vulnerability only affects Cisco devices where SSH server has been explicitly enabled.
  • ·No authentication is required for the malformed packet to trigger the vulnerability on affected Cisco devices, meaning pre-auth network-level exploitation is possible.
  • ·The Metasploit exploit module operates as a rogue SSH server (attacker-controlled listener), meaning the victim (PuTTY client) must initiate a connection to the attacker's host — this is a client-side attack vector, not a direct server attack.
  • ·The exploit payload space is limited to 400 bytes with null bytes as bad characters; payloads requiring WS2/bind sockets are excluded.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.