GEN:SID 1:2039
Message MISC bootp hostname format string attempt
Summary The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue
dynamic IP addresses from a server to client machines. A vulnerability
exists such that arbitrary code may be executed on the server using the
credential of the super user (root).
Impact Execution of code and possible control of the targeted machine.
Detailed Information A format string vulnerabilty in some versions of dhcpd may lead to the
execution of arbitrary code as the root user via a DNS server response.
This is due to the unsafe logging of user data. The option NSUPDATE
option in the configuration of dhcpd must be enabled, although this is a
default option in version 3.0 and later.

Two exploits for this vulnerability are known to exist.
Affected Systems ISC DHCPD 3.0
Caldera OpenLinux Server 3.1 and 3.1.1
Caldera OpenLinux Workstation 3.1 and 3.1.1
Conectiva Linux 8.0
MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0
MandrakeSoft Multi Network Firewall 8.2
S.u.S.E. Linux 7.2, 7.3 and 8.0
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Database Server
S.u.S.E. Linux Enterprise Server 7 and S/390

ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7
FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5

ISC DHCPD 3.0.1 rc6
S.u.S.E. Linux 8.0 and 8.0 i386

ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4
OpenPKG OpenPKG 1.0

ISC DHCPD 3.0.1 rc3, rc2 and rc1
Attack Scenarios The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability.
Ease of Attack Simple
Corrective Action Patches from the vendor should be applied as soon as possible.

Upgrade to ISC DHCPD 3.0.1 rc 9.
Additional References Bugtraq:
http://www.securityfocus.com/bid/4701

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702
Rule References bugtraq: 4701
cve: 2002-0702
nessus: 11312