CVE-2002-0640

OpenSSH 2.3.1-3.3 - Remote Code Execution via PAM Keyboard Interactive Authentication

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-0640. PoCs published by Gobbles Security, Christophe Devine.

AI-analyzed exploit summary The provided text is a vulnerability writeup for CVE-2002-0640, describing two remotely exploitable vulnerabilities in OpenSSH related to the SSH2 challenge-response mechanism. It outlines conditions for exploitation, affected configurations, and mitigation steps, but does not contain actual exploit code.

Description

Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

Exploits (2)

exploitdb WRITEUP VERIFIED
by Gobbles Security · textremoteunix
https://www.exploit-db.com/exploits/21579

The provided text is a vulnerability writeup for CVE-2002-0640, describing two remotely exploitable vulnerabilities in OpenSSH related to the SSH2 challenge-response mechanism. It outlines conditions for exploitation, affected configurations, and mitigation steps, but does not contain actual exploit code.

Classification
Writeup 90%
Attack Type
Rce | Dos
Complexity
Moderate
Reliability
Theoretical
Target: OpenSSH versions prior to 3.4 (with BSD_AUTH or SKEY support)
No auth needed
Prerequisites: OpenSSH server configured with PAMAuthenticationViaKbdInt or ChallengeResponseAuthentication · OpenSSH compiled with BSD_AUTH or SKEY support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Christophe Devine · textremoteunix
https://www.exploit-db.com/exploits/21578

This exploit targets a vulnerability in OpenSSH's SSH2 challenge-response mechanism, allowing unauthenticated remote code execution by crafting a malicious response. It includes shellcode to spawn a root shell on port 128.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH versions prior to 3.4 (with BSD_AUTH or SKEY enabled)
No auth needed
Prerequisites: OpenSSH server configured with PAMAuthenticationViaKbdInt or ChallengeResponseAuthentication · Target system must be vulnerable (OpenSSH < 3.4)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Third Party Advisory, VDB Entry vdb-entry
http://www.osvdb.org/839
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/5093
Third Party Advisory vendor-advisory
http://www.debian.org/security/2002/dsa-134
US Government Resource third-party-advisory
http://www.cert.org/advisories/CA-2002-18.html
US Government Resource third-party-advisory
http://www.kb.cert.org/vuls/id/369347

Scores

EPSS 0.2732
EPSS Percentile 97.8%

Details

Status published
Products (26)
openbsd/openssh 1.2.2
openbsd/openssh 1.2.3
openbsd/openssh 2.1
openbsd/openssh 2.1.1
openbsd/openssh 2.2
openbsd/openssh 2.3
openbsd/openssh 2.5
openbsd/openssh 2.5.1
openbsd/openssh 2.5.2
openbsd/openssh 2.9
... and 16 more
Published Jul 03, 2002
Tracked Since Feb 18, 2026