CVE-2003-0026
CVSS7.5
发布时间 :2003-01-17 00:00:00
修订时间 :2011-03-07 21:11:57
NMCOS    

[原文]Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname.


[CNNVD]ISC DHCPD NSUPDATE MiniRes库远程缓冲区溢出漏洞(CNNVD-200301-034)

        
        DHCPD是动态主机配置协议,提供通过TCP/IP网络对主机传递配置信息。
        DHCPD包含的minires库在处理主机名时没有进行正确缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        DHCPD也提供给主机一些网络配置数据,ISC DHCPD允许DHCP服务程序动态更新DNS服务器,支持动态DNS更新是通过NSUPDATE功能实现。
        在内部源代码审核中,ISC开发人员发现由NSUPDATE所调用的minires库在解析主机名时存在多个漏洞。这些漏洞是由于对主机名长度缺少正确检查。攻击者可以通过发送包含超长主机名值的DHCP消息来出发基于栈的缓冲区溢出,精心提供DHCP消息数据可能以root用户权限在系统上执行任意指令。
        虽然minires库由BIND 8解析库改变而来,但这些漏洞在当前任何BIND版本中不存在。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:isc:dhcpd:3.0.1:rc6ISC DHCPD 3.0.1 rc6
cpe:/a:isc:dhcpd:3.0.1:rc3ISC DHCPD 3.0.1 rc3
cpe:/a:isc:dhcpd:3.0.1:rc5ISC DHCPD 3.0.1 rc5
cpe:/a:isc:dhcpd:3.0.1:rc1ISC DHCPD 3.0.1 rc1
cpe:/a:isc:dhcpd:3.0.1:rc8ISC DHCPD 3.0.1 rc8
cpe:/a:isc:dhcpd:3.0.1:rc4ISC DHCPD 3.0.1 rc4
cpe:/a:isc:dhcpd:3.0.1:rc7ISC DHCPD 3.0.1 rc7
cpe:/a:isc:dhcpd:3.0ISC DHCPD 3.0
cpe:/a:isc:dhcpd:3.0.1:rc2ISC DHCPD 3.0.1 rc2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0026
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0026
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200301-034
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/284857
(VENDOR_ADVISORY)  CERT-VN  VU#284857
http://www.cert.org/advisories/CA-2003-01.html
(VENDOR_ADVISORY)  CERT  CA-2003-01
http://www.redhat.com/support/errata/RHSA-2003-011.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:011
http://www.debian.org/security/2003/dsa-231
(VENDOR_ADVISORY)  DEBIAN  DSA-231
http://www.suse.com/de/security/2003_006_dhcp.html
(UNKNOWN)  SUSE  SuSE-SA:2003:0006
http://xforce.iss.net/xforce/xfdb/11073
(UNKNOWN)  XF  dhcpd-minires-multiple-bo(11073)
http://www.suse.com/de/security/2003_006_dhcp.html
(UNKNOWN)  SUSE  SuSE-SA:2003:0006
http://www.securitytracker.com/id?1005924
(UNKNOWN)  SECTRACK  1005924
http://www.securityfocus.com/bid/6627
(UNKNOWN)  BID  6627
http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2003.002
http://www.mandriva.com/security/advisories?name=MDKSA-2003:007
(UNKNOWN)  MANDRAKE  MDKSA-2003:007
http://www.ciac.org/ciac/bulletins/n-031.shtml
(UNKNOWN)  CIAC  N-031
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000562
(UNKNOWN)  CONECTIVA  CLA-2003:562
http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html
(UNKNOWN)  BUGTRAQ  20030122 [securityslackware.com: [slackware-security] New DHCP packages available]

- 漏洞信息

ISC DHCPD NSUPDATE MiniRes库远程缓冲区溢出漏洞
高危 边界条件错误
2003-01-17 00:00:00 2005-10-20 00:00:00
远程  
        
        DHCPD是动态主机配置协议,提供通过TCP/IP网络对主机传递配置信息。
        DHCPD包含的minires库在处理主机名时没有进行正确缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        DHCPD也提供给主机一些网络配置数据,ISC DHCPD允许DHCP服务程序动态更新DNS服务器,支持动态DNS更新是通过NSUPDATE功能实现。
        在内部源代码审核中,ISC开发人员发现由NSUPDATE所调用的minires库在解析主机名时存在多个漏洞。这些漏洞是由于对主机名长度缺少正确检查。攻击者可以通过发送包含超长主机名值的DHCP消息来出发基于栈的缓冲区溢出,精心提供DHCP消息数据可能以root用户权限在系统上执行任意指令。
        虽然minires库由BIND 8解析库改变而来,但这些漏洞在当前任何BIND版本中不存在。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建议关闭ISC DHCP服务器的NSUPDATE功能。
        * 限制外部不可信资源访问DHCP服务器的TCP/UDP 67,68端口。
        厂商补丁:
        Conectiva
        ---------
        
        http://www.debian.org/security/2003/dsa-231

        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-231-1)以及相应补丁:
        DSA-231-1:New dhcp3 packages fix arbitrary code execution
        链接:
        http://www.debian.org/security/2002/dsa-231

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9-2.1.dsc

        Size/MD5 checksum: 730 37209f2e8ff29f9d38e4f812183a8321
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9-2.1.diff.gz

        Size/MD5 checksum: 23781 d6b2e0bcf1b32d52423202ae5f988cf6
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9.orig.tar.gz

        Size/MD5 checksum: 809803 3cc4758e5a59362315393a1874dfcb21
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_alpha.deb

        Size/MD5 checksum: 416508 773f104e93a351675621d4b812dedb0d
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_alpha.deb

        Size/MD5 checksum: 216042 2a7c64e688ca68bf0b227334ba2d7833
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_alpha.deb

        Size/MD5 checksum: 106842 9020774e6cdc310a3a3cf2a42ba58d63
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_alpha.deb

        Size/MD5 checksum: 287082 189f63d99acb438981c10800d7783d44
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_alpha.deb

        Size/MD5 checksum: 526816 08d076cefd29fa5e0055fda006cac383
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_arm.deb

        Size/MD5 checksum: 386804 842b5eb5de805516022bada7f0094822
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_arm.deb

        Size/MD5 checksum: 188558 5dbbd9b9ab025f52024b19627bfbdc72
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_arm.deb

        Size/MD5 checksum: 93316 57bfc9321b7d10ae70ec6214d59bcb2f
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_arm.deb

        Size/MD5 checksum: 273220 6a99a3da6a633477ae430d92f68f2184
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_arm.deb

        Size/MD5 checksum: 484438 677cd67a76fc9814fe2a7c3ca4a1a492
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_i386.deb

        Size/MD5 checksum: 375234 eadc1375ff236a3f6fd831340fa23bb2
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_i386.deb

        Size/MD5 checksum: 178496 afd9dda61da369a5ff76b15803fd4136
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_i386.deb

        Size/MD5 checksum: 82020 6137706b46e9b5d0f8d85bf0188f2050
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_i386.deb

        Size/MD5 checksum: 269162 289c850ffa01157b09537ec57bf25d0c
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_i386.deb

        Size/MD5 checksum: 465074 fae064fc37dede8a61bf836248e97e34
        Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_ia64.deb

        Size/MD5 checksum: 549968 cf516c3021a7a9467d0bd5e8bc5467c4
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_ia64.deb

        Size/MD5 checksum: 339122 abfcc44debcca325e01b76031536bacd
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_ia64.deb

        Size/MD5 checksum: 134170 d2683f5f882b01422dab6ee93983c0a5
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.1_ia64.deb

        Size/MD5 checksum: 348612 97101d3f841d5509f61664e27158cf23
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.1_ia64.deb

        Size/MD5 checksum: 701398 5bc9980f56c7830a04f21bfedb228959
        HP Precision architecture:
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.1_hppa.deb

        Size/MD5 checksum: 384788 f733a3a7db9c641cff4594212f275984
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.1_hppa.deb

        Size/MD5 checksum: 188118 5928747afeb44dfd8cfd8e02c332068f
        
        http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.1_hppa.deb

        Size/MD5 checksum: 92962 2044c3e40799aeb2d328b6084d611016
        

- 漏洞信息

14557
ICS DHCP minires Library Multiple Overflows
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-01-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ISC DHCPD NSUPDATE MiniRes Library Remote Buffer Overflow Vulnerabilities
Boundary Condition Error 6627
Yes No
2003-01-15 12:00:00 2009-07-11 07:17:00
These issues were reported by ISC.

- 受影响的程序版本

ISC DHCPD 3.0.1 rc9
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ OpenPKG OpenPKG 1.1
+ S.u.S.E. Linux 8.1
ISC DHCPD 3.0.1 rc8
ISC DHCPD 3.0.1 rc7
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
ISC DHCPD 3.0.1 rc6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
ISC DHCPD 3.0.1 rc5
ISC DHCPD 3.0.1 rc4
+ OpenPKG OpenPKG 1.0
ISC DHCPD 3.0.1 rc3
ISC DHCPD 3.0.1 rc2
ISC DHCPD 3.0.1 rc10
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0.1 rc1
ISC DHCPD 3.0 rc4
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
ISC DHCPD 3.0 rc12
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
ISC DHCPD 3.0 pl1
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Slackware Linux 8.1
ISC DHCPD 3.0 b2pl9
+ Mandriva Linux Mandrake 7.2
ISC DHCPD 3.0 b2pl23
+ MandrakeSoft Single Network Firewall 7.2
ISC DHCPD 3.0
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
- S.u.S.E. Linux 8.0
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux Connectivity Server
- S.u.S.E. Linux Database Server 0
- S.u.S.E. Linux Enterprise Server for S/390
- S.u.S.E. SuSE eMail Server III
- SuSE SUSE Linux Enterprise Server 7
ISC DHCPD 3.0.1 rc11
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0 pl2

- 不受影响的程序版本

ISC DHCPD 3.0.1 rc11
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0 pl2

- 漏洞讨论

Multiple buffer overflow vulnerabilities have been reported for the ISC DHCPD service. The vulnerability occurs when the DHCP server is configured to dynamically update records. The vulnerability exists in the library used by NSUPDATE to resolve hostnames.

An attacker can exploit these vulnerabilities by sending a malformed DHCP message containing an overly large hostname value. This will trigger the buffer overflow condition and any embedded attacker-supplied code may be executed.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

SuSE reportedly ships with vulnerable packages. An advisory and fixes are forthcoming.

BSD/OS is prone to this issue. The vulnerability is addressed by the M431-001 and M500-004 patches for the 4.3.1 and 5.0 versions of BSD/OS. Users should contact the vendor for further information about obtaining and applying fixes.

OpenPKG has released an advisory containing updated dhcpd packages which address this issue. OpenPKG CURRENT is addressed by the dhcpd-3.0.1rc11-20030116 package, OpenPKG 1.1 is addressed by the dhcpd-3.0.1rc9-1.1.1 package and OpenPKG 1.0 is addressed by the dhcpd-3.0.1rc4-1.0.1 package.

Gentoo Linux has released an advisory. Users who have installed net-misc/dhcp are advised to upgrade their systems to dhcp-3.0_p2 by issuing the following commands:

emerge sync
emerge -u dhcp
emerge clean

Debian has made fixes available. See referenced advisory DSA 231-1 for additional details.

SuSE has released an advisory. Information about obtaining and applying fixes for SuSE Linux are available in the referenced advisory.

The FreeBSD ports collection contains the vulnerable software. Users are advised to update the port to version 3.0.1.r11 if it has been installed.

The following fixes are available:


ISC DHCPD 3.0 pl1

ISC DHCPD 3.0 rc12

ISC DHCPD 3.0 b2pl23

ISC DHCPD 3.0 b2pl9

ISC DHCPD 3.0 rc4

ISC DHCPD 3.0

ISC DHCPD 3.0.1 rc3

ISC DHCPD 3.0.1 rc4

ISC DHCPD 3.0.1 rc5

ISC DHCPD 3.0.1 rc7

ISC DHCPD 3.0.1 rc2

ISC DHCPD 3.0.1 rc1

ISC DHCPD 3.0.1 rc8

ISC DHCPD 3.0.1 rc6

ISC DHCPD 3.0.1 rc9

ISC DHCPD 3.0.1 rc10

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站