Caldera DHCP Package Format String Vulnerabililty
BID:2215
Info
Caldera DHCP Package Format String Vulnerabililty
| Bugtraq ID: | 2215 |
| Class: | Unknown |
| CVE: |
CVE-2001-0181 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 15 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | This vulnerability was first announced in a Caldera Security Advisory on January 15, 2001 via Bugtraq. |
| Vulnerable: |
SCO eServer 2.3.1 SCO eDesktop 2.4 Caldera OpenLinux Desktop 2.3 |
| Not Vulnerable: | |
Discussion
Caldera DHCP Package Format String Vulnerabililty
DHCP is the Dynamic Host Configuration Protocol, an open source, freely available, RFC specified networking protocol for host management. It is included with most versions of the UNIX Operating System.
A problem with the Caldera implementation could create the possibility of a format string attack. The problem affects both the DHCP daemon and client, and involves string formatting when passed through the error logging code. It is possible to pass custom crafted packets to both the DHCP daemon and DHCP client that will result in an error, and pass the formatted strings to a static buffer. This buffer will then be filled and overflowed, overwriting variables on the stack and potentially executing arbitrary code. This problem makes it possible for a user with malicious motives to execute arbitrary code, potentially gain access, and elevated privileges.
DHCP is the Dynamic Host Configuration Protocol, an open source, freely available, RFC specified networking protocol for host management. It is included with most versions of the UNIX Operating System.
A problem with the Caldera implementation could create the possibility of a format string attack. The problem affects both the DHCP daemon and client, and involves string formatting when passed through the error logging code. It is possible to pass custom crafted packets to both the DHCP daemon and DHCP client that will result in an error, and pass the formatted strings to a static buffer. This buffer will then be filled and overflowed, overwriting variables on the stack and potentially executing arbitrary code. This problem makes it possible for a user with malicious motives to execute arbitrary code, potentially gain access, and elevated privileges.
Exploit / POC
Caldera DHCP Package Format String Vulnerabililty
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Caldera DHCP Package Format String Vulnerabililty
Solution:
Upgrades available:
Caldera OpenLinux Desktop 2.3
SCO eServer 2.3.1
SCO eDesktop 2.4
Solution:
Upgrades available:
Caldera OpenLinux Desktop 2.3
-
Caldera OpenLinux Desktop 2.3 dhcpd-1.0pl2-4.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/dh cpd-1.0pl2-4.i386.rpm
SCO eServer 2.3.1
-
Caldera eServer 2.3.1 dhcp2-2.0-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/dhcp 2-2.0-1.i386.rpm
SCO eDesktop 2.4
-
Caldera eDesktop 2.4 dhcp-2.0b1pl29-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/dhc p-2.0b1pl29-2.i386.rpm
References
Caldera DHCP Package Format String Vulnerabililty
References:
References: