OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSEC Research Team (labsngsec.com)
Date: Wed May 08 2002 - 12:05:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                       Next Generation Security Technologies
                              http://www.ngsec.com
                                Security Advisory

           Title: ISC DHCPDv3, remote root compromise
              ID: NGSEC-2002-2
     Application: ISC DHCPD version 3.0.1rc8 and older (http://www.isc.org)
            Date: 05/06/2002
          Status: Vendor and CERT contacted, new fixed version released.
        Platform: Unix
          Author: Fermín J. Serna <fjsernangsec.com>
        Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt

    Overview:
    - ---------

    ISC DHCPD in its version 3 introduced new dns-update features. ISC DHCPD
    is vulnerable to a format string bug attack, while reporting the result of
    a dns-update request. Since ISC DHCPD runs with root privileges,
    attackers can use this bug to gain unauthorized access, to the system
    running ISC DHCPD, as root user.

    CERT has issued an advisory located at:

        http://www.cert.org/advisories/CA-2002-12.html

    Technical description:
    - ----------------------

    ISC DHCPD (in its verion 3) is compiled by default with NSUPDATE. If ISC
    DHCPD is configured to make a dns-update when a dhcp request arrives, it
    will send a dns-update request to the configured DNS server. When the DNS
    server sends the response the ISC DHCPD parses the packet and logs the
    result of the dns-update request in the following way:

            if (errorp)
                    log_error (obuf);
            else
                    log_info (obuf);

    This code lacks of format string. Since "obuf" contains some user supplied
    data such as client hostname, an attacker can query the ISC DHCP server
    with a hostname field containing a malign format string (%n).

    This vulnerability can be exploited on local lans, lans with DHCP relay
    servers or acting as a fake DHCP relay server.

    NGSEC has developed an exploit for this vulnerability but we are not going
    to release it for obvious reasons (remote root compromise to a widely
    spread application).

    Quick Patch:
    - ------------

    You can upgrade to a newer version or apply the following patch:

    - --- common/print.c Tue Apr 9 13:41:17 2002
    +++ common/print.c.patched Tue Apr 9 13:41:56 2002
    -1366,8 +1366,8
                    *s++ = '.';
            *s++ = 0;
            if (errorp)
    - - log_error (obuf);
    + log_error ("%s",obuf);
            else
    - - log_info (obuf);
    + log_info ("%s",obuf);
     }
     #endif /* NSUPDATE */

    Recommendations:
    - ----------------

    Upgrade to a newer ISC DHCPD version.
    Run ISC DHCPD on a secure environment.

    More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
    PGP Key: http://www.ngsec.com/pgp/labs.asc

    (c)Copyright 2002 NGSEC. All rights reserved.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Made with pgp4pine 1.76

    iD8DBQE82VrYKrwoKcQl8Y4RAoq1AKCDeEz8g7LY/ZkGiscK6xHaOXTDMQCfS4pC
    8h0PTbFM5kUmg9fX8XOVI3A=
    =yZhF
    -----END PGP SIGNATURE-----