SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Dhcp Vendors:   ISC (Internet Software Consortium)
(Caldera Issues Fix) Internet Software Consortium DHCP Implementation Has Format String Hole That Lets Remote Users Gain Root Access
SecurityTracker Alert ID:  1004599
SecurityTracker URL:  http://securitytracker.com/id/1004599
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 20 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.1rc8 and prior versions
Description:   A format string vulnerability was reported in the Internet Software Consortium (ISC) dynamic host control protocol daemon (DHCPD) implementation. A remote user can gain root access on the system.

Next Generation Security Technologies reported that ISC DHCPD verrsion 3 includes a dns-update feature that is compiled by default and contains a format string flaw.

When the DHCPD daemon receives a DHCP request, it will generate a dns-update request. A remote user with control of a DNS server can create a malformed dns-update response and send it to the vulnerable DHCPD server in response to one of these dns-update requests. The user-supplied dns-update response information is then logged by DHCPD without specifying a format string. A remote user can apparently query the ISC DHCP server with a hostname field containing a malicious format string (%n), causing the server to execute arbitrary code with root level privileges.

CERT has issued an advisory located at:

http://www.cert.org/advisories/CA-2002-12.html

Impact:   A remote user can cause arbitrary code to be executed with root level privileges, giving the remote user root level access to the system.
Solution:   Caldera has released a fix for OpenLinux.

For OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

Packages

09faf40bb1b20919080b3a3ed36d8081 dhcp-3.0b2pl9-11.i386.rpm
55c93437d6573cb8132a16ccd2c6c69e dhcp-server-3.0b2pl9-11.i386.rpm

Installation

rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm
rpm -Fvh dhcp-server-3.0b2pl9-11.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

Source Packages

d767e875975fcc76c912f9e41e4d83cf dhcp-3.0b2pl9-11.src.rpm


For OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

Packages

b28af5a9d9aff4f79b683a3187d09545 dhcp-3.0b2pl9-11.i386.rpm

Installation

rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

Source Packages

9a2f6bf27b28c5033353caceb1540979 dhcp-3.0b2pl9-11.src.rpm


For OpenLinux 3.1 Server:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

Packages

732ba73b4108dd30d5bd3704ad8e47be dhcp-3.0b2pl9-11.i386.rpm
d2591a5b6021b2512603963e8f48c422 dhcp-server-3.0b2pl9-11.i386.rpm

Installation

rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm
rpm -Fvh dhcp-server-3.0b2pl9-11.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

Source Packages

d8fd6b2a37fc3315fef9c873cea1172e dhcp-3.0b2pl9-11.src.rpm


For OpenLinux 3.1 Workstation:

Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

Packages

d60a246831ce062e2b4228b2d6946c7b dhcp-3.0b2pl9-11.i386.rpm

Installation

rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm

Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

Source Packages

7c1642355347a47278dbd1afd6d3d44f dhcp-3.0b2pl9-11.src.rpm

Vendor URL:  www.isc.org/products/DHCP/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux 3.1, 3.1.1; Workstation and Server

Message History:   This archive entry is a follow-up to the message listed below.
May 8 2002 Internet Software Consortium DHCP Implementation Has Format String Hole That Lets Remote Users Gain Root Access



 Source Message Contents

Subject:  Security Update: [CSSA-2002-028.0] Linux: dhcpd dynamic DNS format string vulnerability


--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: dhcpd dynamic DNS format string vulnerability
Advisory number: 	CSSA-2002-028.0
Issue date: 		2002 June 19
Cross reference:
______________________________________________________________________________


1. Problem Description

	A remote exploitable format string vulnerability was found in
	the logging routines of the dynamic DNS code of dhcpd. This
	vulnerability can allow an attacker to get root access to the
	host running dhcpd.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to dhcp-3.0b2pl9-11.i386.rpm
					prior to dhcp-server-3.0b2pl9-11.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to dhcp-3.0b2pl9-11.i386.rpm

	OpenLinux 3.1 Server		prior to dhcp-3.0b2pl9-11.i386.rpm
					prior to dhcp-server-3.0b2pl9-11.i386.rpm

	OpenLinux 3.1 Workstation	prior to dhcp-3.0b2pl9-11.i386.rpm


3. Solution

	The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

	4.2 Packages

	09faf40bb1b20919080b3a3ed36d8081	dhcp-3.0b2pl9-11.i386.rpm
	55c93437d6573cb8132a16ccd2c6c69e	dhcp-server-3.0b2pl9-11.i386.rpm

	4.3 Installation

	rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm
	rpm -Fvh dhcp-server-3.0b2pl9-11.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

	4.5 Source Packages

	d767e875975fcc76c912f9e41e4d83cf	dhcp-3.0b2pl9-11.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

	5.2 Packages

	b28af5a9d9aff4f79b683a3187d09545	dhcp-3.0b2pl9-11.i386.rpm

	5.3 Installation

	rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

	5.5 Source Packages

	9a2f6bf27b28c5033353caceb1540979	dhcp-3.0b2pl9-11.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

	6.2 Packages

	732ba73b4108dd30d5bd3704ad8e47be	dhcp-3.0b2pl9-11.i386.rpm
	d2591a5b6021b2512603963e8f48c422	dhcp-server-3.0b2pl9-11.i386.rpm

	6.3 Installation

	rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm
	rpm -Fvh dhcp-server-3.0b2pl9-11.i386.rpm

	6.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

	6.5 Source Packages

	d8fd6b2a37fc3315fef9c873cea1172e	dhcp-3.0b2pl9-11.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

	7.2 Packages

	d60a246831ce062e2b4228b2d6946c7b	dhcp-3.0b2pl9-11.i386.rpm

	7.3 Installation

	rpm -Fvh dhcp-3.0b2pl9-11.i386.rpm

	7.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

	7.5 Source Packages

	7c1642355347a47278dbd1afd6d3d44f	dhcp-3.0b2pl9-11.src.rpm


8. References

	Specific references for this advisory:
		http://www.cert.org/advisories/CA-2002-12.html 

	Caldera security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr864837, fz521045,
	erg712050.


9. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


10. Acknowledgements

	This vulnerability was dicovered and researched by Next Generation
	Security Technologies.

______________________________________________________________________________

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0Q+x8ACgkQbluZssSXDTEznACg3k90I+/SKTpFns1tLo35HsUF
GUcAn1XghxaBIWLu0onaX37x2jFSaYpL
=7dVg
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC