exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ngsec.dhcpd.txt

ngsec.dhcpd.txt
Posted May 10, 2002
Authored by FJ Serna | Site ngsec.com

ISC DHCPD in its version 3 introduced new dns-update features. ISC DHCPD v3.0 to 3.0.1rc8 is vulnerable to a remote root format string bug attack, while reporting the result of a dns-update request.

tags | remote, root
SHA-256 | a290c9d40604af3f940c6014c394c6ae911843feb29f15807b203cd233a48342

ngsec.dhcpd.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Next Generation Security Technologies
http://www.ngsec.com
Security Advisory


Title: ISC DHCPDv3, remote root compromise
ID: NGSEC-2002-2
Application: ISC DHCPD version 3.0.1rc8 and older (http://www.isc.org)
Date: 05/06/2002
Status: Vendor and CERT contacted, new fixed version released.
Platform: Unix
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt


Overview:
- ---------

ISC DHCPD in its version 3 introduced new dns-update features. ISC DHCPD
is vulnerable to a format string bug attack, while reporting the result of
a dns-update request. Since ISC DHCPD runs with root privileges,
attackers can use this bug to gain unauthorized access, to the system
running ISC DHCPD, as root user.

CERT has issued an advisory located at:

http://www.cert.org/advisories/CA-2002-12.html


Technical description:
- ----------------------

ISC DHCPD (in its verion 3) is compiled by default with NSUPDATE. If ISC
DHCPD is configured to make a dns-update when a dhcp request arrives, it
will send a dns-update request to the configured DNS server. When the DNS
server sends the response the ISC DHCPD parses the packet and logs the
result of the dns-update request in the following way:


if (errorp)
log_error (obuf);
else
log_info (obuf);


This code lacks of format string. Since "obuf" contains some user supplied
data such as client hostname, an attacker can query the ISC DHCP server
with a hostname field containing a malign format string (%n).

This vulnerability can be exploited on local lans, lans with DHCP relay
servers or acting as a fake DHCP relay server.

NGSEC has developed an exploit for this vulnerability but we are not going
to release it for obvious reasons (remote root compromise to a widely
spread application).


Quick Patch:
- ------------

You can upgrade to a newer version or apply the following patch:

- --- common/print.c Tue Apr 9 13:41:17 2002
+++ common/print.c.patched Tue Apr 9 13:41:56 2002
@@ -1366,8 +1366,8 @@
*s++ = '.';
*s++ = 0;
if (errorp)
- - log_error (obuf);
+ log_error ("%s",obuf);
else
- - log_info (obuf);
+ log_info ("%s",obuf);
}
#endif /* NSUPDATE */


Recommendations:
- ----------------

Upgrade to a newer ISC DHCPD version.
Run ISC DHCPD on a secure environment.


More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

(c)Copyright 2002 NGSEC. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE82WzVKrwoKcQl8Y4RAuQnAJ4/tGEj6o2dn8xIC4qH7OzNm/0jJwCdHjj2
y5S/lHw0PoTdWHpHBxj+Iio=
=chxv
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close