[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] dhcp remote exploit
- To: linux-security
- Subject: [linux-security] dhcp remote exploit
- From: Martin Siegert <siegert@sfu.ca>
- Date: Tue, 4 Jun 2002 19:05:28 -0700
- User-Agent: Mutt/1.2.5.1i
Topic
=====
remote exploit in ISC's dhcp version 3.0
Problem Description
===================
ISC's DHCPD listens for requests from client machines connecting to the
network. Versions 3 to 3.0.1rc8 (inclusive) of DHCPD contains an option
(NSUPDATE) that is enabled by default. NSUPDATE allows the DHCP server to
send information about the host to the DNS server after processing a DHCP
request. The DNS server responds by sending an acknowledgement message back
to the DHCP server that may contain user-supplied data (like a host name).
When the DHCP server receives the acknowledgement message from the DNS server,
it logs the transaction. A format string vulnerability exists in ISC's DHCPD
code that logs the transaction. This vulnerability may permit a remote
attacker to execute code with the privileges of the DHCP daemon.
Affected Systems
================
dhcp versions 3.0 to 3.0.1rc8 inclusive.
(To my knowledge only Mandrake is affected, but check the version of your
dhcp package to make sure)
Solution
========
upgrade to version 3.0p1 or version 3.0.1rc9 (or patched version for
your distribution)
Mandrake 7.2
------------
rpm -Fvh dhcp-3.0b2pl9-4.1mdk.i586.rpm \
dhcp-client-3.0b2pl9-4.1mdk.i586.rpm \
dhcp-relay-3.0b2pl9-4.1mdk.i586.rpm
Mandrake 8.1
------------
rpm -Fvh dhcp-client-3.0-0.rc12.2.1mdk.i586.rpm \
dhcp-common-3.0-0.rc12.2.1mdk.i586.rpm \
dhcp-devel-3.0-0.rc12.2.1mdk.i586.rpm \
dhcp-relay-3.0-0.rc12.2.1mdk.i586.rpm \
dhcp-server-3.0-0.rc12.2.1mdk.i586.rpm
Mandrake 8.2
------------
rpm -Fvh dhcp-client-3.0-1rc8.2.1mdk.i586.rpm \
dhcp-common-3.0-1rc8.2.1mdk.i586.rpm \
dhcp-devel-3.0-1rc8.2.1mdk.i586.rpm \
dhcp-relay-3.0-1rc8.2.1mdk.i586.rpm \
dhcp-server-3.0-1rc8.2.1mdk.i586.rpm