Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: iscdhc~1.txt

ISC DHCP Client v2 potential root exploit




COMMAND

    iscdhcp

SYSTEMS AFFECTED

    ISC DHCP client v2

PROBLEM

    Pavel Kankovsky found following.  The official fix for the  recent
    ISC DHCP client vulnerability is not as thorough as it should  be.
    For more info see:

        http://oliver.efri.hr/~crv/security/bugs/Others/iscdhcp.html

    If you diff version 2.0 and 2.0pl1 you can see the only
    substantial change to the code happened in pretty_print_option()
    in common/options.c.  The function is used when data recieved from
    the server are saved to dhclient.leases or passed to
    dhclient-script.  Now, it escapes suspicious characters when it
    formats text options.

    Good. (BTW the code does not follow the old "allow only characters
    known to be safe" rule, so  some problems might still lurk in  the
    dark but this is not the point of my mail.)

    Unfortunately, when  you look  at client/dhclient.c,  you can  see
    that not  every value  is processed  with pretty_print_option() or
    something similar.  Here is an example from script_write_params():

        if (lease -> filename) {
                fprintf (scriptFile, "%sfilename=\"%s\";\n",
                         prefix, lease -> filename);
                fprintf (scriptFile, "export %sfilename\n", prefix);
        }
        if (lease -> server_name) {
                fprintf (scriptFile, "%sserver_name=\"%s\";\n",
                         prefix, lease -> server_name);
                fprintf (scriptFile, "export %sserver_name\n", prefix);
        }

    In fact, lease->filename and  lease->server_name are used as  they
    have come  from the  network.   Ergo, we  can conclude that anyone
    controlling  the  DHCP/BOOTP  server  or  being  able to spoof the
    replies can easily break into any machine using ISC DHCP client of
    any version up to and including 2.0pl2 (unless it is a very recent
    OpenBSD version...see their cvsweb for details).

    It  should  be  stress  that  this  is  only a problem in the DHCP
    client, not in the DHCP server.

SOLUTION

    This is a rather ugly patch that might (or might not) fix the bug.
    Please note that 15 and 67 are more or less two arbitrary  numbers
    to make pretty_print_options() happy and use the right format.

    --- client/dhclient.c.orig  Wed Jan 26 13:51:11 2000
    +++ client/dhclient.c       Wed Jul 12 21:28:31 2000
    @@ -902,7 +902,7 @@
                                    break;
                    lease -> server_name = malloc (len + 1);
                    if (!lease -> server_name) {
    -                   warn ("dhcpoffer: no memory for filename.\n");
    +                   warn ("dhcpoffer: no memory for server name.\n");
                            free_client_lease (lease);
                            return (struct client_lease *)0;
                    } else {
    @@ -1845,10 +1845,14 @@
                     piaddr (lease -> address));
            if (lease -> filename)
                    fprintf (leaseFile, "  filename \"%s\";\n",
    -                    lease -> filename);
    +                    pretty_print_option(67 /* bootfile-name option */,
    +                    lease -> filename, strlen(lease -> filename),
    +                    0, 0));
            if (lease -> server_name)
                    fprintf (leaseFile, "  server-name \"%s\";\n",
    -                    lease -> server_name);
    +                    pretty_print_option(15 /* domain name option */,
    +                    lease -> server_name, strlen(lease -> server_name),
    +                    0, 0));
            if (lease -> medium)
                    fprintf (leaseFile, "  medium \"%s\";\n",
                             lease -> medium -> string);
    @@ -1986,13 +1990,17 @@
            }

            if (lease -> filename) {
    -           fprintf (scriptFile, "%sfilename=\"%s\";\n",
    -                    prefix, lease -> filename);
    +           fprintf (scriptFile, "%sfilename=\"%s\";\n", prefix,
    +                    pretty_print_option(67 /* bootfile-name option */,
    +                    lease -> filename, strlen(lease -> filename),
    +                    0, 0));
                    fprintf (scriptFile, "export %sfilename\n", prefix);
            }
            if (lease -> server_name) {
    -           fprintf (scriptFile, "%sserver_name=\"%s\";\n",
    -                    prefix, lease -> server_name);
    +           fprintf (scriptFile, "%sserver_name=\"%s\";\n", prefix,
    +                    pretty_print_option(15 /* domain name option */,
    +                    lease -> server_name, strlen(lease -> server_name),
    +                    0, 0));
                    fprintf (scriptFile, "export %sserver_name\n", prefix);
            }
            for (i = 0; i < 256; i++) {

    OpenBSD released  a different  fix for  the dhclient  shipped with
    OpenBSD.  This was not the fix shipped by ISC.  The patch released
    by OpenBSD is *not* vulnerable  to these problems.  Their  fix did
    two things:

        1) Make dhclient-script safely quote anything it gets from the
           environment to avoid these problems
        2) They pass the variables to dhclient-script by  constructing
           an environment and  running dhclient-script with  an execve
           rather than using a temporary shell script.

    2.0pl3 and  3.0b1pl17 releases  fix a  lingering security  problem
    that was  partially fixed  in 2.0pl2  and 3.0b1pl14  that made  it
    possible for  a rogue  DHCP server  to provide  information to the
    DHCP client that would cause  it to execute arbitrary commands  as
    root.  This  fix is similar  to a fix  implemented by the  OpenBSD
    folks.  IF YOU ARE RUNNING  VERSIONS OF THE ISC DHCP CLIENT  PRIOR
    to 2.0pl2 or  3.0b1pl17, PLEASE UPGRADE  ASAP.  This  patch is NOT
    necessary for ISC DHCP  server users - only  for users of the  ISC
    DHCP client.  Users  of the ISC DHCP  client from the head  of the
    anoncvs  tree  prior  to  July  20  at  5:36  AM, UTC, should also
    upgrade.  Both versions of the ISC DHCP Distribution are available
    at:

        ftp://ftp.isc.org/isc/dhcp

    For Linux-Mandrake:

        7.0/RPMS/dhcp-3.0b1pl17-2mdk.i586.rpm
        7.0/RPMS/dhcp-client-3.0b1pl17-2mdk.i586.rpm
        7.0/RPMS/dhcp-relay-3.0b1pl17-2mdk.i586.rpm
        7.0/SRPMS/dhcp-3.0b1pl17-2mdk.src.rpm
        7.1/RPMS/dhcp-3.0b1pl17-2mdk.i586.rpm
        7.1/RPMS/dhcp-client-3.0b1pl17-2mdk.i586.rpm
        7.1/RPMS/dhcp-relay-3.0b1pl17-2mdk.i586.rpm
        7.1/SRPMS/dhcp-3.0b1pl17-2mdk.src.rpm

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.diff.gz
        http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.dsc
        http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6.orig.tar.gz
        http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-beta_2.0b1pl6-0.4_alpha.deb
        http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-client-beta_2.0b1pl6-0.4_alpha.deb
        http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-relay-beta_2.0b1pl6-0.4_alpha.deb
        http://security.debian.org/dists/stable/updates/binary-i386/dhcp-beta_2.0b1pl6-0.4_i386.deb
        http://security.debian.org/dists/stable/updates/binary-i386/dhcp-client-beta_2.0b1pl6-0.4_i386.deb
        http://security.debian.org/dists/stable/updates/binary-i386/dhcp-relay-beta_2.0b1pl6-0.4_i386.deb
        http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-beta_2.0b1pl6-0.4_m68k.deb
        http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-client-beta_2.0b1pl6-0.4_m68k.deb
        http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-relay-beta_2.0b1pl6-0.4_m68k.deb
        http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-beta_2.0b1pl6-0.4_sparc.deb
        http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-client-beta_2.0b1pl6-0.4_sparc.deb
        http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-relay-beta_2.0b1pl6-0.4_sparc.deb

        http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.diff.gz
        http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.dsc
        http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0.orig.tar.gz
        http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp_2.0-3potato2_alpha.deb
        http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-client_2.0-3potato2_alpha.deb
        http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-relay_2.0-3potato2_alpha.deb
        http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp_2.0-3potato2_i386.deb
        http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-client_2.0-3potato2_i386.deb
        http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-relay_2.0-3potato2_i386.deb
        http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp_2.0-3potato2_sparc.deb
        http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-client_2.0-3potato2_sparc.deb
        http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-relay_2.0-3potato2_sparc.deb


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH