Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5337.htm

ISC DHCPDv3 remote root compromise
10th May 2002 [SBWID-5337]

	ISC DHCPDv3 remote root compromise


	ISC DHCPD version 3.0.1rc8 and older


	In Fermín J. Serna [] of  NGSEC  []
	advisory [NGSEC-2002-2] :

	ISC DHCPD (in its verion 3) is compiled by  default  with  NSUPDATE.  If
	ISC DHCPD is configured  to  make  a  dns-update  when  a  dhcp  request
	arrives, it will  send  a  dns-update  request  to  the  configured  DNS
	server. When the DNS server sends the response the ISC DHCPD parses  the
	packet and logs the result of the dns-update request  in  the  following


	        if (errorp)

	                log_error (obuf);


	                log_info (obuf);



	This code lacks of format string.  Since  \"obuf\"  contains  some  user
	supplied data such as client hostname, an attacker  can  query  the  ISC
	DHCP server with a hostname field  containing  a  malign  format  string

	This vulnerability can be exploited on local lans, lans with DHCP  relay
	servers or acting as a fake DHCP relay server.


	You can upgrade to a newer version or apply the following patch:

	- --- common/print.c      Tue Apr  9 13:41:17 2002

	+++ common/print.c.patched      Tue Apr  9 13:41:56 2002

	@@ -1366,8 +1366,8 @@

	                *s++ = \'.\';

	        *s++ = 0;

	        if (errorp)

	- -               log_error (obuf);

	+               log_error (\"%s\",obuf);


	- -               log_info (obuf);

	+               log_info (\"%s\",obuf);


	 #endif /* NSUPDATE */


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH