[UNIX] ISC DHCPDv3 Remote Root Compromise
From: support@securiteam.comDate: 05/08/02
- Previous message: support@securiteam.com: "[NEWS] Novell Border Manager Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 8 May 2002 20:33:47 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
ISC DHCPDv3 Remote Root Compromise
------------------------------------------------------------------------
SUMMARY
<http://www.isc.org/products/DHCP/> ISC DHCPD in its version 3 introduced
new dns-update features. ISC DHCPD is vulnerable to a format string bug
attack, while reporting the result of a dns-update request. Since ISC
DHCPD runs with root privileges, attackers can use this bug to gain
unauthorized access, to the system running ISC DHCPD, as root user.
DETAILS
Vulnerable systems:
ISC DHCPD version 3.0.1rc8
Immune systems:
ISC DHCPD version 3.0p1
ISC DHCPD (in its version 3) is compiled by default with NSUPDATE. If ISC
DHCPD is configured to make a dns-update when a DHCP request arrives, it
will send a dns-update request to the configured DNS server. When the DNS
server sends the response the ISC DHCPD parses the packet and logs the
result of the dns-update request in the following way:
if (errorp)
log_error (obuf);
else
log_info (obuf);
This code lacks of format string. Since "obuf" contains some user supplied
data such as client hostname, an attacker can query the ISC DHCP server
with a hostname field containing a malign format string (%n).
This vulnerability can be exploited on local LANs, and LANs with DHCP
relay servers or acting as a fake DHCP relay server.
NGSEC has developed an exploit for this vulnerability but we are not going
to release it for obvious reasons (remote root compromise to a widely
spread application).
Quick Patch:
You can upgrade to a newer version or apply the following patch:
- --- common/print.c Tue Apr 9 13:41:17 2002
+++ common/print.c.patched Tue Apr 9 13:41:56 2002
@@ -1366,8 +1366,8 @@
*s++ = '.';
*s++ = 0;
if (errorp)
- - log_error (obuf);
+ log_error ("%s",obuf);
else
- - log_info (obuf);
+ log_info ("%s",obuf);
}
#endif /* NSUPDATE */
Recommendations:
Upgrade to a newer ISC DHCPD version. Run ISC DHCPD on a secure
environment.
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs@ngsec.com> NGSEC
Research Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Novell Border Manager Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
