Bugzilla – Attachment 21118 Details for
Bug 56975
VUL-0: CVE-2004-0461: dhcp: remote buffer overfow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
ISC Advisory
2004-06-10_1.txt (text/plain), 2.78 KB, created by
Thomas Biege
on 2004-06-14 18:15:10 UTC
(
hide
)
Description:
ISC Advisory
Filename:
MIME Type:
Creator:
Thomas Biege
Created:
2004-06-14 18:15:10 UTC
Size:
2.78 KB
patch
obsolete
>Hello, > > Today, ISC reported to us that a stack buffer overflow vulnerability >exists in all versions of ISC's DHCP 3. This includes snapshots, betas, >and release candidates. According to ISC, all operating systems and >configurations are vulnerable. > >We plan on releasing this information with ISC's release of DHCP-3.0.1 >which resolves this vulnerability. > >The following is ISC's description of the problem: > >--- Begin ISC Description --- > >In ISC DHCPD, every DHCP packet in transactions are syslogged along with >several pieces of descriptive information. The client's DISCOVER and >the resulting OFFER, REQUEST, and ACK are all logged as well as any >NAKs. In all of these messages, if the client supplied a hostname it >was also included in the logged line. > >These log lines are temporarily stored in 1024 byte buffers on the >stack. > >If the client supplied multiple hostname options (which in DHCP >specification implies they must be concatenated in order to carry a >value which is longer than 255 bytes) and exceeds 1024 bytes in >concert with other text being logged in the same line, AND the >contents of the entire field do not contain any non-ascii or >unprintable characters, then this 1024 byte buffer will be overflown, >writing over the rest of the stack. > >Packets fashioned in the manner described above will crash the ISC >DHCP daemon, all releases to date. > >The crash is a stack overflow, but it is not clear to this author >whether or not that overflow can be used to execute arbitrary code. >It may be possible to do so by using printf() escape characters, >to bypass DHCPD's printability (plain ascii) checks. > >We must therefore conclude that it is probably exploitable, and >this allows remote attackers arbitrary, although somewhat hindered >by being delivered by udp, access as the user which dhcpd is run >as (almost always, this is root). > >The vulnerability expects the attacker to be able to deliver a UDP packet >to destination port 67 on the targetted system, by either broadcast on >the local network (as per DHCP intentions) or via routed topology. > >As such, proper firewalling techniques may limit the scope of the attack >to 'trusted systems', or no such scoping may be possible depending on >the network configuration. > >Aside from that, coordinated with your release, ISC will make available >ISC DHCP-3.0.1, currently undergoing internal testing and hoped to be >ready (to be released in coordination) by this weekend. Users should be >urged to upgrade to 3.0.1. > >--- End ISC Description --- > >If you build upon the code base of ISC's DHCP 3, or integrate it into a >product, your product may also be vulnerable. Please send us any vendor >statement or questions that we might be able to faciltate. We are >currently negotiating a later release date, however we tenetatively plan >to release Friday morning 6/11/04 around 11 am EST. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21118">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 56975
: 21118 |
21119
|
21120
|
21122
|
21123
|
21124
|
21126
|
21160
|
21196
|
21254
|
21301
|
21307
|
21354
|
21425
|
21634
|
21635
|
21636