OpenSSH - 7.4 Multiple Vulnerabilities - Nessus - InfosecMatter
OpenSSH - 7.4 Multiple Vulnerabilities - Nessus - InfosecMatter
OpenSSH - 7.4 Multiple Vulnerabilities - Nessus - InfosecMatter
This page contains detailed information about the OpenSSH < 7.4 Multiple Vulnerabilities Nessus plugin
FOLLOW US
including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this
vulnerability. Github | Twitter | Facebook
ID: 96151
Name: OpenSSH < 7.4 Multiple Vulnerabilities
ARCHIVES
Filename: openssh_74.nasl
Vulnerability Published: 2016-12-19
January 2022 (1)
This Plugin Published: 2016-12-27
Last Modi cation Time: 2022-04-04 November 2021 (1)
December 2020 (3)
- A aw exists in sshd due to creating forwarded Unix-domain sockets with 'root' privileges whenever privilege RECENT POSTS
separation is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10010)
- An information disclosure vulnerability exists in sshd within the realloc() function due leakage of key material
to privilege-separated child processes when reading keys. A local attacker can possibly exploit this to disclose
sensitive key material. Note that no such leak has been observed in practice for normal-sized keys, nor does a
leak to the child processes directly expose key material to unprivileged users. (CVE-2016-10011)
- A aw exists in sshd within the shared memory manager used by pre-authenticating compression support due
to a bounds check being elided by some optimizing compilers and due to the memory manager being incorrectly
accessible when pre-authenticating compression is disabled. A local attacker can exploit this to gain elevated Nessus Plugin Library
privileges. (CVE-2016-10012)
- A denial of service vulnerability exists in sshd when handling KEXINIT messages. An unauthenticated, remote
attacker can exploit this, by sending multiple KEXINIT messages, to consume up to 128MB per connection.
- A aw exists in sshd due to improper validation of address ranges by the AllowUser and DenyUsers directives
at con guration load time. A local attacker can exploit this, via an invalid CIDR address range, to gain access to
restricted areas.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported Solving Problems with Of ce
version number. 365 Email from GoDaddy
Solution
Upgrade to OpenSSH version 7.4 or later.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): Services/ssh Empire Module Library
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the OpenSSH < 7.4 Multiple Vulnerabilities
vulnerability:
1. Exploit-DB: exploits/linux/local/40962.txt
[EDB-40962: OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege
Escalation]
2. GitHub: https://github.com/biswajitde/dsm_ips CrackMapExec Module Library
[CVE-2016-10009]
3. GitHub: https://github.com/gabrieljcs/ips-assessment-reports
[CVE-2016-10009]
4. GitHub: https://github.com/phx/cvescan
[CVE-2016-10009]
5. GitHub: https://github.com/scmanjarrez/CVEScannerV2
[CVE-2016-10009]
6. GitHub: https://github.com/phx/cvescan
Metasploit Android Modules
[CVE-2016-10010]
7. GitHub: https://github.com/scmanjarrez/CVEScannerV2
[CVE-2016-10010]
8. GitHub: https://github.com/phx/cvescan MOST VIEWED POSTS
[CVE-2016-10011]
9. GitHub: https://github.com/phx/cvescan
[CVE-2016-10012]
10. GitHub: https://github.com/scmanjarrez/CVEScannerV2
[CVE-2016-10012]
11. GitHub: https://github.com/phx/cvescan
[CVE-2016-10708]
12. GitHub: https://github.com/project7io/nmap
[CVE-2016-10708]
13. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/40962.zip Top 16 Active Directory
Vulnerabilities
[EDB-40962]
Before running any exploit against any system, make sure you are authorized by the owner of the target
system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unveri ed exploits from sources such as GitHub or Exploit-DB. These exploits and
PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
Top 10 Vulnerabilities: Internal
Infrastructure Pentest
CVSS Score Source [?]: CVE-2016-10009
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
CVSS Base Score: 7.5 (High)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Temporal Score: 5.9 (Medium)
CVSS Environmental Score: NA (None)
Modi ed Impact Subscore: NA
Overall CVSS Score: 5.9 (Medium) Terminal Escape Injection
Plugin Source
This is the openssh_74.nasl nessus plugin source code. This script is Copyright (C) 2016-2022 and is owned by
Tenable, Inc. or an Af liate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
Capture Passwords using
# Wireshark
include('deprecated_nasl_level.inc');
include("compat.inc");
if (description)
{ MOST VIEWED TOOLS
script_id(96151);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/04");
script_cve_id(
"CVE-2016-10009",
"CVE-2016-10010",
"CVE-2016-10011",
"CVE-2016-10012",
"CVE-2016-10708"
);
script_bugtraq_id(
94968,
94972,
94975, SSH Brute Force Attack Tool
94977
);
using PuTTY / Plink (ssh-putty-
script_xref(name:"EDB-ID", value:"40962"); brute.ps1)
script_set_attribute(attribute:"synopsis", value:
"The SSH server running on the remote host is affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH running on the remote
host is prior to 7.4. It is, therefore, affected by multiple
vulnerabilities :
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-7.4");
script_set_attribute(attribute:"solution", value: Default Password Scanner
"Upgrade to OpenSSH version 7.4 or later."); (default-http-login-hunter.sh)
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
The latest version of this script can be found in these locations depending on your platform:
Linux / Unix:
/opt/nessus/lib/nessus/plugins/openssh_74.nasl
Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\openssh_74.nasl
Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/openssh_74.nasl
Go back to menu.
How to Run
Here is how to run the OpenSSH < 7.4 Multiple Vulnerabilities as a standalone plugin via the Nessus web user
interface (https://localhost:8834/):
Here are a few examples of how to run the plugin in the command line. Note that the examples below
demonstrate the usage on the Linux / Unix platform.
Basic usage:
Run the plugin with trace script execution written to the console (useful for debugging):
Run the plugin with using a state le for the target and updating it (useful for running multiple plugins on the
target):
Go back to menu.
References
BID | SecurityFocus Bugtraq ID:
94968, 94972, 94975, 94977
See also:
https://www.tenable.com/plugins/nessus/96151
http://www.openssh.com/txt/release-7.4
https://vulners.com/nessus/OPENSSH_74.NASL
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin le openssh_74.nasl version 1.8. For more plugins, visit the Nessus Plugin Library.
Go back to menu.