SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Dhcp Vendors:   OpenBSD
OpenBSD dhcpd Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018794
SecurityTracker URL:  http://securitytracker.com/id/1018794
CVE Reference:   CVE-2007-5365   (Links to External Site)
Updated:  Oct 23 2007
Original Entry Date:  Oct 10 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in dhcpd on OpenBSD. A remote user on the local network can execute arbitrary code on the target system. Other operating systems may be affected.

A remote user on the local network can send specially crafted DHCP data to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

A specially crafted maximum message size that is less than the minimum IP MTU can trigger the overflow in dhcpd(8).

dhcpd(8) is not enabled by default.

Nahuel Riva and Gerardo Richarte of Core Security Technologies reported this vulnerability.
Impact:   A remote user on the local network can execute arbitrary code on the target system.
Solution:   The vendor has issued the following patches.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch
Vendor URL:  openbsd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (OpenBSD)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 23 2007 (Red Hat Issues Fix) OpenBSD dhcpd Buffer Overflow Lets Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 9 2008 (Sun Issues Fix for Solaris) OpenBSD dhcpd Buffer Overflow Lets Remote Users Execute Arbitrary Code
Sun has issued a fix for Sun Solaris.


 Source Message Contents
Date:  Tue, 09 Oct 2007 17:22:20 -0400
Subject:  Security fix for dhcpd

Summary:
    Malicious DHCP clients on the local network could cause dhcpd(8)
    to corrupt its stack.

Impact:
    A DHCP client with a carefully chosen maximum message size that
    is less than the minimum IP MTU could lead to a buffer overflow
    in dhcpd(8).  This could cause dhcpd(8) to crash or could
    potentially result in remote code execution.

Workaround:
    Disable dhcpd if it is enabled.  Note that OpenBSD does not
    ship with dhcpd(8) enabled by default.

Fix:
    A fix has been committed to OpenBSD-current.  Patches are
    available for OpenBSD 4.2, 4.1 and 4.0.

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch

Credits:
    The bug was found by Nahuel Riva and Gerardo Richarte of Core
    Security Technologies


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC