CVE-2004-0460
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:28
NMCOS    

[原文]Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file.


[CNNVD]ISC DHCP处理日志行缓冲区溢出漏洞(CNNVD-200408-115)

        
        ISC DHCPD是一款动态主机配置协议服务器软件。
        ISC DHCPD应用程序存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞对守护进程进行拒绝服务攻击,或以进程权限在系统上执行任意指令。
        ISC DHCPD使用syslog记录每个传输的DHCP包,客户端的DISCOVER和结果OFFER,REQUEST及ACK,任何NAK全部会记录下来。在这些信息中,如果客户端提供了主机名也会被记录到日志行中。如果客户端提供多个主机名选项,这些选项就会串接在一起,如果主机名和选项只包含ASCII字符,那么字符串会传递给非ASCII字符过滤器并临时存在在固定的1024字节缓冲区中。
        如果提供过的的主机名选项及和其他文本记录到相同一行中,那么静态缓冲区就会被溢出。不过如果有非ACSII或不可打印字符提供,那么就会被进行其他检查及过滤,导致不能溢出,精心构建提交数据可能以DHCPD进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:7::enterprise_server
cpe:/o:redhat:fedora_core:core_2.0
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/h:infoblox:dns_one_appliance:2.4.0.8a
cpe:/o:suse:suse_linux:8.0::i386
cpe:/a:suse:suse_linux_connectivity_serverSuSE SuSE Linux Connectivity Server
cpe:/a:suse:suse_linux_office_serverSuSE SuSE Linux Office Server
cpe:/a:suse:suse_linux_admin-cd_for_firewallSuSE SuSE Linux Admin-CD for Firewall
cpe:/a:suse:suse_linux_firewall_cdSuSE SuSE Linux Firewall CD
cpe:/a:suse:suse_email_server:iii
cpe:/o:mandrakesoft:mandrake_linux:10.0::amd64
cpe:/a:isc:dhcpd:3.0.1:rc13ISC DHCPD 3.0.1 rc13
cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/a:isc:dhcpd:3.0.1:rc12ISC DHCPD 3.0.1 rc12
cpe:/o:mandrakesoft:mandrake_linux:9.1MandrakeSoft Mandrake Linux 9.1
cpe:/o:mandrakesoft:mandrake_linux:9.2::amd64
cpe:/h:infoblox:dns_one_appliance:2.3.1_r5
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:mandrakesoft:mandrake_linux:9.0MandrakeSoft Mandrake Linux 9.0
cpe:/a:suse:suse_linux_database_serverSuSE SuSE Linux Database Server
cpe:/o:suse:suse_linux:8.0SuSE SuSE Linux 8.0
cpe:/h:infoblox:dns_one_appliance:2.4.0.8
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0460
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0460
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-115
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108795911203342&w=2
(UNKNOWN)  BUGTRAQ  20040622 DHCP Vuln // no code 0day //
http://marc.info/?l=bugtraq&m=108843959502356&w=2
(UNKNOWN)  BUGTRAQ  20040628 ISC DHCP overflows
http://marc.info/?l=bugtraq&m=108938625206063&w=2
(UNKNOWN)  BUGTRAQ  20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)
http://www.kb.cert.org/vuls/id/317350
(UNKNOWN)  CERT-VN  VU#317350
http://www.mandriva.com/security/advisories?name=MDKSA-2004:061
(UNKNOWN)  MANDRAKE  MDKSA-2004:061
http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html
(UNKNOWN)  SUSE  SuSE-SA:2004:019
http://www.securityfocus.com/bid/10590
(VENDOR_ADVISORY)  BID  10590
http://www.us-cert.gov/cas/techalerts/TA04-174A.html
(VENDOR_ADVISORY)  CERT  TA04-174A
http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
(UNKNOWN)  CONFIRM  http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
http://xforce.iss.net/xforce/xfdb/16475
(VENDOR_ADVISORY)  XF  dhcp-ascii-log-bo(16475)

- 漏洞信息

ISC DHCP处理日志行缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        ISC DHCPD是一款动态主机配置协议服务器软件。
        ISC DHCPD应用程序存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞对守护进程进行拒绝服务攻击,或以进程权限在系统上执行任意指令。
        ISC DHCPD使用syslog记录每个传输的DHCP包,客户端的DISCOVER和结果OFFER,REQUEST及ACK,任何NAK全部会记录下来。在这些信息中,如果客户端提供了主机名也会被记录到日志行中。如果客户端提供多个主机名选项,这些选项就会串接在一起,如果主机名和选项只包含ASCII字符,那么字符串会传递给非ASCII字符过滤器并临时存在在固定的1024字节缓冲区中。
        如果提供过的的主机名选项及和其他文本记录到相同一行中,那么静态缓冲区就会被溢出。不过如果有非ACSII或不可打印字符提供,那么就会被进行其他检查及过滤,导致不能溢出,精心构建提交数据可能以DHCPD进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        ISC
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,建议用户升级到DHCP 3.0.1rc14解决此问题,ISC DHCP 3版本将不在进行维护支持:
        ftp://ftp.isc.org/isc/dhcp/

- 漏洞信息

7237
ISC DHCP Daemon Hostname Logging Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in ISC DHCP server. The DHCP server fails to check the boundary length from a DHCP request with multiple hostname query options set. The logging function uses a temporary 1024 byte buffer for storage and this can result in a buffer overflow. With a specially crafted DHCP request, an attacker can cause supplied code to execute resulting in a loss of integrity.

- 时间线

2004-06-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.0.1rc14 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

ISC DHCPD Hostname Options Logging Buffer Overflow Vulnerability
Boundary Condition Error 10590
Yes No
2004-06-22 12:00:00 2009-07-12 05:16:00
Discovery is credited to Gregory Duchemin and Solar Designer.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
S.u.S.E. SuSE eMail Server III
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Office Server
S.u.S.E. Linux Firewall on CD
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Admin-CD for Firewall
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
Red Hat Fedora Core2
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
Mandriva Linux Mandrake 9.1 ppc
Mandriva Linux Mandrake 9.1
Mandriva Linux Mandrake 9.0
ISC DHCPD 3.0.1 rc13
ISC DHCPD 3.0.1 rc12
Infoblox DNS One Appliance 2.4 .0-8A
Infoblox DNS One Appliance 2.4 .0-8
Infoblox DNS One Appliance 2.3.1 -R5
ISC DHCPD 3.0.1 rc14

- 不受影响的程序版本

ISC DHCPD 3.0.1 rc14

- 漏洞讨论

ISC DHCPD is prone to a remotely exploitable buffer overflow vulnerability. This issue exists in routines responsible for logging hostname options provided by DHCP clients. Successful exploitation could result in execution of arbitrary code in the context of the DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. The vulnerable code exists in previous versions of ISC DHCPD 3, but is only believed to be exploitable in these two releases.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

- 解决方案

Mandrake has released advisory MDKSA-2004:061 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

SuSE linux has released advisory SuSE-SA:2004:019 to address this and other issues. Please see the referenced advisory for further information.

Red Hat Fedora has released advisory FEDORA-2004-190 dealing with this and other issues. Please see the referenced advisory for more information.

OpenPKG has released an advisory (OpenPKG-SA-2004.031) to address this and other issues in dhcpd. Please see the referenced advisory for more information.

ISC has addressed this issue with the release of ISC DHCPD 3.0.1rc14.


ISC DHCPD 3.0.1 rc12

ISC DHCPD 3.0.1 rc13

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站