[NGSEC-2002-2] ISC DHCPDv3, remote root compromise

From: NGSEC Research Team (labsat_private)
Date: Wed May 08 2002 - 10:04:35 PDT

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.18] Open UNIX 8.0.0 UnixWare 7.1.1 : CDE /var/dt and subdirectories are writable by world"

Previous message: Ry Jones: "NTFS and PGP interact to expose EFS encrypted data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                   Next Generation Security Technologies
                          http://www.ngsec.com
                            Security Advisory


       Title:   ISC DHCPDv3, remote root compromise
          ID:   NGSEC-2002-2
 Application:   ISC DHCPD version 3.0.1rc8 and older (http://www.isc.org)
        Date:   05/06/2002
      Status:   Vendor and CERT contacted, new fixed version released.
    Platform:   Unix
      Author:   Fermín J. Serna <fjsernaat_private>
    Location:   http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt


Overview:
- ---------

ISC DHCPD in its version 3 introduced new dns-update features. ISC DHCPD
is vulnerable to a format string bug attack, while reporting the result of
a dns-update request. Since ISC DHCPD runs with root privileges,
attackers can use this bug to gain unauthorized access, to the system
running ISC DHCPD, as root user.

CERT has issued an advisory located at:

    http://www.cert.org/advisories/CA-2002-12.html


Technical description:
- ----------------------

ISC DHCPD (in its verion 3) is compiled by default with NSUPDATE. If ISC
DHCPD is configured to make a dns-update when a dhcp request arrives, it
will send a dns-update request to the configured DNS server. When the DNS
server sends the response the ISC DHCPD parses the packet and logs the
result of the dns-update request in the following way:


        if (errorp)
                log_error (obuf);
        else
                log_info (obuf);


This code lacks of format string. Since "obuf" contains some user supplied
data such as client hostname, an attacker can query the ISC DHCP server
with a hostname field containing a malign format string (%n).

This vulnerability can be exploited on local lans, lans with DHCP relay
servers or acting as a fake DHCP relay server.

NGSEC has developed an exploit for this vulnerability but we are not going
to release it for obvious reasons (remote root compromise to a widely
spread application).


Quick Patch:
- ------------

You can upgrade to a newer version or apply the following patch:

- --- common/print.c      Tue Apr  9 13:41:17 2002
+++ common/print.c.patched      Tue Apr  9 13:41:56 2002
@@ -1366,8 +1366,8 @@
                *s++ = '.';
        *s++ = 0;
        if (errorp)
- -               log_error (obuf);
+               log_error ("%s",obuf);
        else
- -               log_info (obuf);
+               log_info ("%s",obuf);
 }
 #endif /* NSUPDATE */


Recommendations:
- ----------------

Upgrade to a newer ISC DHCPD version.
Run ISC DHCPD on a secure environment.


More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

(c)Copyright 2002 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE82VqzKrwoKcQl8Y4RAtabAJ49kEC2RdbiHPuZd4g07rk/K9mIAACfcKq6
bhQkcJoj7zPvCn4zs3oVUs0=
=M7RM
-----END PGP SIGNATURE-----

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.18] Open UNIX 8.0.0 UnixWare 7.1.1 : CDE /var/dt and subdirectories are writable by world"
Previous message: Ry Jones: "NTFS and PGP interact to expose EFS encrypted data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 08 2002 - 16:38:22 PDT