发布时间 :2004-08-06 00:00:00
修订时间 :2017-07-10 21:30:10

[原文]Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file.

[CNNVD]ISC DHCP处理日志行缓冲区溢出漏洞(CNNVD-200408-115)

        ISC DHCPD是一款动态主机配置协议服务器软件。
        ISC DHCPD应用程序存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞对守护进程进行拒绝服务攻击,或以进程权限在系统上执行任意指令。
        ISC DHCPD使用syslog记录每个传输的DHCP包,客户端的DISCOVER和结果OFFER,REQUEST及ACK,任何NAK全部会记录下来。在这些信息中,如果客户端提供了主机名也会被记录到日志行中。如果客户端提供多个主机名选项,这些选项就会串接在一起,如果主机名和选项只包含ASCII字符,那么字符串会传递给非ASCII字符过滤器并临时存在在固定的1024字节缓冲区中。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:suse:suse_linux_office_serverSuSE SuSE Linux Office Server
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:suse:suse_linux:8.0SuSE SuSE Linux 8.0
cpe:/o:mandrakesoft:mandrake_linux:9.0MandrakeSoft Mandrake Linux 9.0
cpe:/a:suse:suse_linux_firewall_cdSuSE SuSE Linux Firewall CD
cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/a:suse:suse_linux_admin-cd_for_firewallSuSE SuSE Linux Admin-CD for Firewall
cpe:/a:isc:dhcpd:3.0.1:rc13ISC DHCPD 3.0.1 rc13
cpe:/a:isc:dhcpd:3.0.1:rc12ISC DHCPD 3.0.1 rc12
cpe:/a:suse:suse_linux_connectivity_serverSuSE SuSE Linux Connectivity Server
cpe:/o:mandrakesoft:mandrake_linux:9.1MandrakeSoft Mandrake Linux 9.1
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1
cpe:/a:suse:suse_linux_database_serverSuSE SuSE Linux Database Server

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040622 DHCP Vuln // no code 0day //
(UNKNOWN)  BUGTRAQ  20040628 ISC DHCP overflows
(UNKNOWN)  BUGTRAQ  20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)
(UNKNOWN)  SUSE  SuSE-SA:2004:019
(UNKNOWN)  XF  dhcp-ascii-log-bo(16475)

- 漏洞信息

ISC DHCP处理日志行缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
        ISC DHCPD是一款动态主机配置协议服务器软件。
        ISC DHCPD应用程序存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞对守护进程进行拒绝服务攻击,或以进程权限在系统上执行任意指令。
        ISC DHCPD使用syslog记录每个传输的DHCP包,客户端的DISCOVER和结果OFFER,REQUEST及ACK,任何NAK全部会记录下来。在这些信息中,如果客户端提供了主机名也会被记录到日志行中。如果客户端提供多个主机名选项,这些选项就会串接在一起,如果主机名和选项只包含ASCII字符,那么字符串会传递给非ASCII字符过滤器并临时存在在固定的1024字节缓冲区中。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,建议用户升级到DHCP 3.0.1rc14解决此问题,ISC DHCP 3版本将不在进行维护支持:

- 漏洞信息

ISC DHCP Daemon Hostname Logging Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in ISC DHCP server. The DHCP server fails to check the boundary length from a DHCP request with multiple hostname query options set. The logging function uses a temporary 1024 byte buffer for storage and this can result in a buffer overflow. With a specially crafted DHCP request, an attacker can cause supplied code to execute resulting in a loss of integrity.

- 时间线

2004-06-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.0.1rc14 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

ISC DHCPD Hostname Options Logging Buffer Overflow Vulnerability
Boundary Condition Error 10590
Yes No
2004-06-22 12:00:00 2009-07-12 05:16:00
Discovery is credited to Gregory Duchemin and Solar Designer.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
S.u.S.E. SuSE eMail Server III
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Office Server
S.u.S.E. Linux Firewall on CD
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Admin-CD for Firewall
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
Red Hat Fedora Core2
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
Mandriva Linux Mandrake 9.1 ppc
Mandriva Linux Mandrake 9.1
Mandriva Linux Mandrake 9.0
ISC DHCPD 3.0.1 rc13
ISC DHCPD 3.0.1 rc12
Infoblox DNS One Appliance 2.4 .0-8A
Infoblox DNS One Appliance 2.4 .0-8
Infoblox DNS One Appliance 2.3.1 -R5
ISC DHCPD 3.0.1 rc14

- 不受影响的程序版本

ISC DHCPD 3.0.1 rc14

- 漏洞讨论

ISC DHCPD is prone to a remotely exploitable buffer overflow vulnerability. This issue exists in routines responsible for logging hostname options provided by DHCP clients. Successful exploitation could result in execution of arbitrary code in the context of the DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. The vulnerable code exists in previous versions of ISC DHCPD 3, but is only believed to be exploitable in these two releases.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

- 解决方案

Mandrake has released advisory MDKSA-2004:061 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

SuSE linux has released advisory SuSE-SA:2004:019 to address this and other issues. Please see the referenced advisory for further information.

Red Hat Fedora has released advisory FEDORA-2004-190 dealing with this and other issues. Please see the referenced advisory for more information.

OpenPKG has released an advisory (OpenPKG-SA-2004.031) to address this and other issues in dhcpd. Please see the referenced advisory for more information.

ISC has addressed this issue with the release of ISC DHCPD 3.0.1rc14.

ISC DHCPD 3.0.1 rc12

ISC DHCPD 3.0.1 rc13

- 相关参考