GEN:SID | 1:2039 |
Message | MISC bootp hostname format string attempt |
Summary | The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue dynamic IP addresses from a server to client machines. A vulnerability exists such that arbitrary code may be executed on the server using the credential of the super user (root).
|
Impact | Execution of code and possible control of the targeted machine.
|
Detailed Information | A format string vulnerabilty in some versions of dhcpd may lead to the execution of arbitrary code as the root user via a DNS server response. This is due to the unsafe logging of user data. The option NSUPDATE option in the configuration of dhcpd must be enabled, although this is a default option in version 3.0 and later.
Two exploits for this vulnerability are known to exist.
|
Affected Systems | ISC DHCPD 3.0 Caldera OpenLinux Server 3.1 and 3.1.1 Caldera OpenLinux Workstation 3.1 and 3.1.1 Conectiva Linux 8.0 MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0 MandrakeSoft Multi Network Firewall 8.2 S.u.S.E. Linux 7.2, 7.3 and 8.0 S.u.S.E. Linux Connectivity Server S.u.S.E. Linux Database Server S.u.S.E. Linux Enterprise Server 7 and S/390
ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7 FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5
ISC DHCPD 3.0.1 rc6 S.u.S.E. Linux 8.0 and 8.0 i386
ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4 OpenPKG OpenPKG 1.0
ISC DHCPD 3.0.1 rc3, rc2 and rc1
|
Attack Scenarios | The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability.
|
Ease of Attack | Simple
|
Corrective Action | Patches from the vendor should be applied as soon as possible.
Upgrade to ISC DHCPD 3.0.1 rc 9.
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/4701
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702
|
Rule References | bugtraq: 4701
cve: 2002-0702
nessus: 11312
|