CVE-2002-1359
published 2002-12-23CVE-2002-1359: Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or…
PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
80.23%
99.6th percentile
Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| debian | openssh | — | — |
| fissh | ssh_client | — | — |
| intersoft | securenetterm | — | — |
| netcomposite | shellguard_ssh | — | — |
| pragma_systems | secureshell | — | — |
| putty | putty | — | — |
| putty | putty | — | — |
| putty | putty | — | — |
| winscp | winscp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
SSH-2.0-OpenSSH_3.6.1p2\r\n\x00\x00\x4e\xec\x01\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde
bytes↗
\x00\x00\x07\xde
- →The exploit acts as a rogue SSH server listening on port 22, sending a malformed SSH banner followed by oversized key-exchange fields to a connecting PuTTY 0.53 client. Detect inbound SSH connections where the server banner is 'SSH-2.0-OpenSSH_3.6.1p2' but the immediately following binary packet contains the magic bytes \x00\x00\x4e\xec\x01\x14. ↗
- →The exploit payload structure repeatedly embeds the 4-byte sequence \x00\x00\x07\xde as a field-length delimiter within oversized comma-separated alphanumeric blocks. Presence of this pattern repeated multiple times within a single SSH packet is a strong indicator of SSHredder-style exploitation. ↗
- →The attack targets PuTTY versions 0.53 and earlier. Monitor for PuTTY processes (putty.exe) connecting to untrusted SSH servers, especially where the SSH key-exchange packet size is abnormally large (indicated by the 0x4eec length field). ↗
- →The malformed packets can be generated using the SSHredder test suite. Presence of SSHredder tool artifacts or traffic patterns on the network should be treated as active exploitation attempts against SSH implementations. ↗
- →For Cisco IOS devices, the vulnerability is triggered by a malformed SSH packet requiring no authentication. Monitor for unexpected device reloads (DoS) on Cisco devices with SSH enabled, correlated with Cisco Bug IDs CSCdz60229, CSCdy87221, CSCdu75477, CSCdz62330, CSCdz66748. ↗
- →Return addresses used in the Metasploit exploit for Windows targets: 0x77e14c29 (Win2000 SP4 EN), 0x76b43ae0 (WinXP SP2 EN), 0x76aa679b (Win2003 SP1 EN). These can be used as memory indicators in crash dumps or exploit traffic. ↗
- ·The SSH server in Cisco IOS is disabled by default; this vulnerability only affects Cisco devices where SSH server has been explicitly enabled. ↗
- ·No authentication is required for the malformed packet to trigger the vulnerability on affected Cisco devices, meaning pre-auth network-level exploitation is possible. ↗
- ·The Metasploit exploit module operates as a rogue SSH server (attacker-controlled listener), meaning the victim (PuTTY client) must initiate a connection to the attacker's host — this is a client-side attack vector, not a direct server attack. ↗
- ·The exploit payload space is limited to 400 bytes with null bytes as bad characters; payloads requiring WS2/bind sockets are excluded. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
SSH Malformed Packet Vulnerabilities
vendor_cisco·2002-12-19
CVE-2002-1357 SSH Malformed Packet Vulnerabilities
SSH Malformed Packet Vulnerabilities
Certain Cisco products containing support for the Secure Shell (SSH)
server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled
on the device. A malformed SSH packet directed at the affected device can cause
a reload of the device. No authentication is necessary for the packet to be
received by the affected device. The SSH server in Cisco IOS® is disabled by
default.
Cisco will be making free software available to correct the problem as
soon as possible.
The malformed packets can be generated using the SSHredder test suite
from Rapid7, Inc. Workarounds are
available. The Cisco PSIRT is not aware of any malicious exploitation of this
vulnerability.
This advisory is available at
https://sec.cloudapps.cisco.com/security/center/conte
Debian
CVE-2002-1359: openssh - Multiple SSH2 servers and clients do not properly handle large packets or large ...
vendor_debian·2002·CVSS 10.0
CVE-2002-1359 [CRITICAL] CVE-2002-1359: openssh - Multiple SSH2 servers and clients do not properly handle large packets or large ...
Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Cisco
SSH Malformed Packet Vulnerabilities
vendor_cisco
CVE-2002-1359 SSH Malformed Packet Vulnerabilities
CVE-2002-1359: SSH Malformed Packet Vulnerabilities
Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected device can cause a reload of the device. No authentication is necessary for the packet to be received by the affected device. The SSH server in Cisco IOS� is disabled by default. Cisco will be making free software available to correct the problem as soon as possible. The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc.
Bug IDs: CSCdz60229, CSCdy87221, CSCdu75477, CSCdz62330, CSCdz66748
GHSA
GHSA-fxj2-7cf3-5hcm: Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service
ghsa_unreviewed·2022-04-30
CVE-2002-1359 [HIGH] CWE-20 GHSA-fxj2-7cf3-5hcm: Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service
Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.
No detection rules found.
Exploit-DB
PuTTy.exe 0.53 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2002-1359 PuTTy.exe 0.53 - Remote Buffer Overflow (Metasploit)
PuTTy.exe 0.53 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: putty_msg_debug.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'PuTTy.exe %q{
This module exploits a buffer overflow in the PuTTY SSH client that is triggered
through a validation error in SSH.c.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
[ 'CVE', '2002-1359' ],
[ 'OSVDB', '8044'],
[ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ],
[ 'BID', '6407'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'proce
Exploit-DB
PuTTy.exe 0.53 - Validation Remote Buffer Overflow (Metasploit)
exploitdb·2006-05-15
CVE-2002-1359 PuTTy.exe 0.53 - Validation Remote Buffer Overflow (Metasploit)
PuTTy.exe 0.53 - Validation Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::putty_ssh;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;
my $advanced =
{
};
my $info =
{
'Name' => 'PuTTy.exe '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the PuTTY SSH client that is triggered
throug
Exploit-DB
HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)
exploitdb·2003-02-12
CVE-2003-1359 HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)
HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/6836/info
A buffer overflow vulnerability has been reported in the stmkfont utility shipped with HP-UX systems. The problem occurs due to insufficient bounds checking on user-suplied data to the alternate typeface library command-line option.
A local attacker may be able to exploit this issue to execute arbitrary code with elevated privileges.
All Avaya PDS 9 and 11 platforms are vulnerable to this issue. Avaya PDS 12 platforms running on HP-UX 11.00 are vulnerable as well. PDS 12 versions running on HP-UX 11.11 are not vulnerable.
/*## copyright LAST STAGE OF DELIRIUM jun 2002 poland *://lsd-pl.net/ #*/
/*## /usr/bin/stmkfont #*/
#include
#include
#include
#define
Metasploit
PuTTY Buffer Overflow
metasploit
PuTTY Buffer Overflow
PuTTY Buffer Overflow
This module exploits a buffer overflow in the PuTTY SSH client that is triggered through a validation error in SSH.c. This vulnerability affects versions 0.53 and earlier.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.htmlhttp://securitytracker.com/id?1005812http://securitytracker.com/id?1005813http://www.cert.org/advisories/CA-2002-36.htmlhttp://www.securityfocus.com/bid/6407https://exchange.xforce.ibmcloud.com/vulnerabilities/10870https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5848http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.htmlhttp://securitytracker.com/id?1005812http://securitytracker.com/id?1005813http://www.cert.org/advisories/CA-2002-36.htmlhttp://www.securityfocus.com/bid/6407https://exchange.xforce.ibmcloud.com/vulnerabilities/10870https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5848
2002-12-23
Published