SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Dhcp Vendors:   OpenBSD
OpenBSD dhcpd Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018794
SecurityTracker URL:  http://securitytracker.com/id/1018794
CVE Reference:   CVE-2007-5365   (Links to External Site)
Updated:  Oct 23 2007
Original Entry Date:  Oct 10 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in dhcpd on OpenBSD. A remote user on the local network can execute arbitrary code on the target system. Other operating systems may be affected.

A remote user on the local network can send specially crafted DHCP data to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

A specially crafted maximum message size that is less than the minimum IP MTU can trigger the overflow in dhcpd(8).

dhcpd(8) is not enabled by default.

Nahuel Riva and Gerardo Richarte of Core Security Technologies reported this vulnerability.

Impact:   A remote user on the local network can execute arbitrary code on the target system.
Solution:   The vendor has issued the following patches.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch

Vendor URL:  openbsd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  4.0, 4.1, 4.2

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 23 2007 (Red Hat Issues Fix) OpenBSD dhcpd Buffer Overflow Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 9 2008 (Sun Issues Fix for Solaris) OpenBSD dhcpd Buffer Overflow Lets Remote Users Execute Arbitrary Code
Sun has issued a fix for Sun Solaris.



 Source Message Contents

Subject:  Security fix for dhcpd

Summary:
    Malicious DHCP clients on the local network could cause dhcpd(8)
    to corrupt its stack.

Impact:
    A DHCP client with a carefully chosen maximum message size that
    is less than the minimum IP MTU could lead to a buffer overflow
    in dhcpd(8).  This could cause dhcpd(8) to crash or could
    potentially result in remote code execution.

Workaround:
    Disable dhcpd if it is enabled.  Note that OpenBSD does not
    ship with dhcpd(8) enabled by default.

Fix:
    A fix has been committed to OpenBSD-current.  Patches are
    available for OpenBSD 4.2, 4.1 and 4.0.

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch

Credits:
    The bug was found by Nahuel Riva and Gerardo Richarte of Core
    Security Technologies

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC