[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] remote root exploit in dhcp server
- To: linux-security
- Subject: [linux-security] remote root exploit in dhcp server
- From: Martin Siegert <siegert@sfu.ca>
- Date: Wed, 29 Jan 2003 17:51:18 -0800
- User-Agent: Mutt/1.4i
Topic
=====
- remote root exploit possible on dhcp servers
- denial of Service attack possible against dhcp server
Problem Description
===================
Several vulnerabilities affect the ISC (Internet Software Consortium)
DHCP (Dynamic Host Configuration Protocol) server. DHCP is a protocol
which allows devices to get their own network configuration information
from a server.
1) A vulnerabilities exist in error handling routines within the minires
library and may be exploitable as stack overflows. This could allow a
remote attacker to execute arbitrary code under the user id the dhcpd
runs under, usually root.
2) When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s) [such a packet storm may be
caused by buggy Cisco switches].
Affected Versions
=================
ISC dhcp-3.0
Solution
========
upgrade to patched version for your distribution
currently only Debian provides a patch for problems 1) and 2).
All other upgrade packages listed below only fix problem 1), i.e.,
the remote root exploit.
Debian 3.0 (woody)
------------------
upgrade to dhcp3-common_3.0+3.0.1rc9-2.2_i386.deb,
dhcp3-server_3.0+3.0.1rc9-2.2_i386.deb,
dhcp3-client_3.0+3.0.1rc9-2.2_i386.deb,
dhcp3-relay_3.0+3.0.1rc9-2.2_i386.deb,
dhcp3-dev_3.0+3.0.1rc9-2.2_i386.deb
SuSE-7.2
--------
rpm -Fvh dhcp-3.0rc4-32.i386.rpm \
dhcp-devel-3.0rc4-32.i386.rpm \
dhcrelay-3.0rc4-32.i386.rpm \
dhclient-3.0rc4-32.i386.rpm
SuSE-7.3
--------
rpm -Fvh dhcp-3.0rc12-56.i386.rpm \
dhcp-devel-3.0rc12-56.i386.rpm \
dhcrelay-3.0rc12-56.i386.rpm \
dhclient-3.0rc12-56.i386.rpm
SuSE-8.0
--------
rpm -Fvh dhcp-base-3.0.1rc6-15.i386.rpm \
dhcp-server-3.0.1rc6-10.i386.rpm
SuSE-8.1
--------
rpm -Fvh dhcp-base-3.0.1rc9-59.i586.rpm \
dhcp-server-3.0.1rc9-59.i586.rpm \
dhcp-devel-3.0.1rc9-59.i586.rpm \
dhcp-relay-3.0.1rc9-59.i586.rpm \
dhcp-client-3.0.1rc9-59.i586.rpm
RedHat 8.0
----------
rpm -Fvh dhcp-3.0pl1-15.i386.rpm \
dhclient-3.0pl1-15.i386.rpm \
dhcp-devel-3.0pl1-15.i386.rpm
Mandrake 7.2
------------
rpm -Fvh dhcp-3.0b2pl9-4.2mdk.i586.rpm \
dhcp-client-3.0b2pl9-4.2mdk.i586.rpm \
dhcp-relay-3.0b2pl9-4.2mdk.i586.rpm
Mandrake 8.1
------------
rpm -Fvh dhcp-server-3.0-0.rc12.2.2mdk.i586.rpm \
dhcp-common-3.0-0.rc12.2.2mdk.i586.rpm \
dhcp-client-3.0-0.rc12.2.2mdk.i586.rpm \
dhcp-relay-3.0-0.rc12.2.2mdk.i586.rpm \
dhcp-devel-3.0-0.rc12.2.2mdk.i586.rpm
Mandrake 8.2
------------
rpm -Fvh dhcp-server-3.0-1rc8.2.2mdk.i586.rpm \
dhcp-common-3.0-1rc8.2.2mdk.i586.rpm \
dhcp-client-3.0-1rc8.2.2mdk.i586.rpm \
dhcp-relay-3.0-1rc8.2.2mdk.i586.rpm \
dhcp-devel-3.0-1rc8.2.2mdk.i586.rpm
Mandrake 9.0
------------
rpm -Fvh dhcp-server-3.0-1rc9.3mdk.i586.rpm \
dhcp-common-3.0-1rc9.3mdk.i586.rpm \
dhcp-client-3.0-1rc9.3mdk.i586.rpm \
dhcp-relay-3.0-1rc9.3mdk.i586.rpm \
dhcp-devel-3.0-1rc9.3mdk.i586.rpm