DHCP mitm clarification

From: Julien Vanegue (vanegu_j@epita.fr)
Date: 09/24/02 

Date: 24 Sep 2002 21:01:46 -0000
From: Julien Vanegue <vanegu_j@epita.fr>
To: vuln-dev@securityfocus.com
('binary' encoding is not supported, stored as-is) In-Reply-To: <20020921000213.31474.qmail@mail.securityfocus.com>

This technique has been used for years now, and very advanced , highly
configurable software has been developped for it . Just to quote the
RFC written in 1997 :

7. Security Considerations

   DHCP is built directly on UDP and IP which are as yet inherently
   insecure. Furthermore, DHCP is generally intended to make
   maintenance of remote and/or diskless hosts easier. While perhaps
   not impossible, configuring such hosts with passwords or keys may be
   difficult and inconvenient. Therefore, DHCP in its current form is
   quite insecure.

   Unauthorized DHCP servers may be easily set up. Such servers can
   then send false and potentially disruptive information to clients
   such as incorrect or duplicate IP addresses, incorrect routing
   information (including spoof routers, etc.), incorrect domain
   nameserver addresses (such as spoof nameservers), and so on.
   Clearly, once this seed information is in place, an attacker can
   further compromise affected systems.

   Malicious DHCP clients could masquerade as legitimate clients and
   retrieve information intended for those legitimate clients. Where
   dynamic allocation of resources is used, a malicious client could
   claim all resources for itself, thereby denying resources to
   legitimate clients.

Source document : http://www.faqs.org/rfcs/rfc2131.html

Enjoy 

--
mayhem