ISC DHCPD Server Remote Stack Corruption Vulnerability
BID:25984
Info
ISC DHCPD Server Remote Stack Corruption Vulnerability
| Bugtraq ID: | 25984 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-5365 CVE-2007-0063 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 09 2007 12:00AM |
| Updated: | Nov 10 2008 04:45PM |
| Credit: | Neel Mehta and Ryan Smith from IBM X-Force discovered this issue in VMware, which triggered this report from Nahuel Riva and Gerardo Richarte from the CORE IMPACT Exploit Writers Team |
| Vulnerable: |
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10_x86 Sun Solaris 10 Sun OpenSolaris build snv_96 Sun OpenSolaris build snv_95 Sun OpenSolaris build snv_92 Sun OpenSolaris build snv_91 Sun OpenSolaris build snv_90 Sun OpenSolaris build snv_89 Sun OpenSolaris build snv_88 Sun OpenSolaris build snv_87 Sun OpenSolaris build snv_85 Sun OpenSolaris build snv_80 Sun OpenSolaris build snv_68 Sun OpenSolaris build snv_67 Sun OpenSolaris build snv_64 Sun OpenSolaris build snv_59 Sun OpenSolaris build snv_39 Sun OpenSolaris build snv_36 Sun OpenSolaris build snv_22 Sun OpenSolaris build snv_19 Sun OpenSolaris build snv_13 Sun OpenSolaris build snv_102 Sun OpenSolaris build snv_100 Sun OpenSolaris build snv_02 Sun OpenSolaris build snv_01 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 OpenBSD OpenBSD 4.2 OpenBSD OpenBSD 4.1 OpenBSD OpenBSD 4.0 ISC DHCPD 2.0.pl5 ISC DHCPD 2.0 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 |
| Not Vulnerable: | |
Discussion
ISC DHCPD Server Remote Stack Corruption Vulnerability
ISC DHCPD is prone to a remote stack-corruption vulnerability because the software fails to properly bounds-check user-supplied input.
Successfully exploiting this issue allows attackers in the same LAN segment of the vulnerable DHCP server to corrupt the application's stack. This may allow attackers to run arbitrary machine code and to compromise affected computers.
ISC DHCP versions in the 2.x series are vulnerable to this issue. OpenBSD's 'dhcpd' is a fork of ISC DHCPD and is also vulnerable.
ISC DHCPD is prone to a remote stack-corruption vulnerability because the software fails to properly bounds-check user-supplied input.
Successfully exploiting this issue allows attackers in the same LAN segment of the vulnerable DHCP server to corrupt the application's stack. This may allow attackers to run arbitrary machine code and to compromise affected computers.
ISC DHCP versions in the 2.x series are vulnerable to this issue. OpenBSD's 'dhcpd' is a fork of ISC DHCPD and is also vulnerable.
Exploit / POC
ISC DHCPD Server Remote Stack Corruption Vulnerability
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploit code is available:
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploit code is available:
Solution / Fix
ISC DHCPD Server Remote Stack Corruption Vulnerability
Solution:
OpenBSD has released patches to address this issue. Please see the references for more information.
ISC DHCP versions 2.x are no longer maintained. Users of affected packages may be able to utilize the patches made by the OpenBSD project to address this issue.
OpenBSD OpenBSD 4.2
OpenBSD OpenBSD 4.1
OpenBSD OpenBSD 4.0
Solution:
OpenBSD has released patches to address this issue. Please see the references for more information.
ISC DHCP versions 2.x are no longer maintained. Users of affected packages may be able to utilize the patches made by the OpenBSD project to address this issue.
OpenBSD OpenBSD 4.2
-
OpenBSD 001_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
OpenBSD OpenBSD 4.1
-
OpenBSD 010_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
OpenBSD OpenBSD 4.0
-
OpenBSD 016_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch
References
ISC DHCPD Server Remote Stack Corruption Vulnerability
References:
References:
- CVS log for src/usr.sbin/dhcpd/options.c (OpenBSD)
- Debian Bug report logs - #446354 (Debian)
- ISC DHCP Homepage (ISC)
- OpenBSD Errata Page (OpenBSD)
- OpenBSD Homepage (OpenBSD)
- CORE-2007-0928: Stack-based buffer overflow vulnerability in OpenBSD�??s DHCP serv (Core Security Technologies Advisories
- DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365) (Roman Medina-Heigl Hernandez
- RHSA-2007:0970-3 dhcp security update (Red Hat)
- Solution 243806: Security Vulnerabilities in DHCP Handling of DHCP Requests May (Sun)
- Stack-based buffer overflow vulnerability in OpenBSD�??s DHCP server (Core)