Latest news
http://www.ngsec.com
Security Advisory
Title: ISC DHCPDv3, remote root compromise
ID: NGSEC-2002-2
Application: ISC DHCPD version 3.0.1rc8 and older (http://www.isc.org)
Date: 05/06/2002
Status: Vendor and CERT contacted, new fixed version released.
Platform: Unix
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt
Overview:
- ---------
ISC DHCPD in its version 3 introduced new dns-update features. ISC DHCPD is vulnerable to a format string bug attack, while reporting the result of a dns-update request. Since ISC DHCPD runs with root privileges, attackers can use this bug to gain unauthorized access, to the system running ISC DHCPD, as root user.
CERT has issued an advisory located at:
http://www.cert.org/advisories/CA-2002-12.html
Technical description:
- ----------------------
ISC DHCPD (in its verion 3) is compiled by default with NSUPDATE. If ISC DHCPD is configured to make a dns-update when a dhcp request arrives, it will send a dns-update request to the configured DNS server. When the DNS server sends the response the ISC DHCPD parses the packet and logs the result of the dns-update request in the following way:
if (errorp)
log_error (obuf);
else
log_info (obuf);
This code lacks of format string. Since "obuf" contains some user supplied data such as client hostname, an attacker can query the ISC DHCP server with a hostname field containing a malign format string (%n).
This vulnerability can be exploited on local lans, lans with DHCP relay servers or acting as a fake DHCP relay server.
NGSEC has developed an exploit for this vulnerability but we are not going to release it for obvious reasons (remote root compromise to a widely spread application).
Quick Patch:
- ------------
You can upgrade to a newer version or apply the following patch:
- --- common/print.c Tue Apr 9 13:41:17 2002
+++ common/print.c.patched Tue Apr 9 13:41:56 2002
@@ -1366,8 +1366,8 @@
*s++ = '.';
*s++ = 0;
if (errorp)
- - log_error (obuf);
+ log_error ("%s",obuf);
else
- - log_info (obuf);
+ log_info ("%s",obuf);
}
#endif /* NSUPDATE */
Recommendations:
- ----------------
Upgrade to a newer ISC DHCPD version.
Run ISC DHCPD on a secure environment.
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc
(c)Copyright 2002 NGSEC. All rights reserved.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
