CVE-2004-0461
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:30
NMCOS    

[原文]The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code.


[CNNVD]ISC DHCP C包含文件vsnprintf()缓冲区溢出漏洞(CNNVD-200408-117)

        
        ISC DHCPD是一款动态主机配置协议服务器软件。
        ISC DHCPD应用程序使用的vsnprintf()存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞对守护进程进行拒绝服务攻击,或以进程权限在系统上执行任意指令。
        ISC DHCP调用vsnprintf()来写格式日志文件字符串,如系统不知道vsnprintf(),就会建立C include文件,并定义如下:
        #define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
        vsprintf()函数没有任何的边界缓冲区检查,因此当客户提供过多数据时可能导致缓冲区溢出。不过vsnprintf()声明定义在VU#317350讨论的有问题代码之后,这表示VU#317350漏洞较此缓冲区溢出之前被触发。这个漏洞发现在VU#317350漏洞解决之后。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:7::enterprise_server
cpe:/o:redhat:fedora_core:core_2.0
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/h:infoblox:dns_one_appliance:2.4.0.8a
cpe:/o:suse:suse_linux:8.0::i386
cpe:/a:suse:suse_linux_connectivity_serverSuSE SuSE Linux Connectivity Server
cpe:/a:suse:suse_linux_office_serverSuSE SuSE Linux Office Server
cpe:/a:suse:suse_linux_admin-cd_for_firewallSuSE SuSE Linux Admin-CD for Firewall
cpe:/a:suse:suse_linux_firewall_cdSuSE SuSE Linux Firewall CD
cpe:/a:suse:suse_email_server:iii
cpe:/o:mandrakesoft:mandrake_linux:10.0::amd64
cpe:/a:isc:dhcpd:3.0.1:rc13ISC DHCPD 3.0.1 rc13
cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/a:isc:dhcpd:3.0.1:rc12ISC DHCPD 3.0.1 rc12
cpe:/o:mandrakesoft:mandrake_linux:9.1MandrakeSoft Mandrake Linux 9.1
cpe:/o:mandrakesoft:mandrake_linux:9.2::amd64
cpe:/h:infoblox:dns_one_appliance:2.3.1_r5
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:mandrakesoft:mandrake_linux:9.0MandrakeSoft Mandrake Linux 9.0
cpe:/a:suse:suse_linux_database_serverSuSE SuSE Linux Database Server
cpe:/o:suse:suse_linux:8.0SuSE SuSE Linux 8.0
cpe:/h:infoblox:dns_one_appliance:2.4.0.8
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0461
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0461
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-117
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108795911203342&w=2
(UNKNOWN)  BUGTRAQ  20040622 DHCP Vuln // no code 0day //
http://marc.info/?l=bugtraq&m=108843959502356&w=2
(UNKNOWN)  BUGTRAQ  20040628 ISC DHCP overflows
http://marc.info/?l=bugtraq&m=108938625206063&w=2
(UNKNOWN)  BUGTRAQ  20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)
http://www.kb.cert.org/vuls/id/654390
(UNKNOWN)  CERT-VN  VU#654390
http://www.mandriva.com/security/advisories?name=MDKSA-2004:061
(UNKNOWN)  MANDRAKE  MDKSA-2004:061
http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html
(UNKNOWN)  SUSE  SuSE-SA:2004:019
http://www.securityfocus.com/bid/10591
(VENDOR_ADVISORY)  BID  10591
http://www.us-cert.gov/cas/techalerts/TA04-174A.html
(VENDOR_ADVISORY)  CERT  TA04-174A
http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
(UNKNOWN)  CONFIRM  http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
http://xforce.iss.net/xforce/xfdb/16476
(VENDOR_ADVISORY)  XF  dhcp-c-include-bo(16476)

- 漏洞信息

ISC DHCP C包含文件vsnprintf()缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        ISC DHCPD是一款动态主机配置协议服务器软件。
        ISC DHCPD应用程序使用的vsnprintf()存在一个缓冲区溢出问题,远程攻击者可以利用这个漏洞对守护进程进行拒绝服务攻击,或以进程权限在系统上执行任意指令。
        ISC DHCP调用vsnprintf()来写格式日志文件字符串,如系统不知道vsnprintf(),就会建立C include文件,并定义如下:
        #define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
        vsprintf()函数没有任何的边界缓冲区检查,因此当客户提供过多数据时可能导致缓冲区溢出。不过vsnprintf()声明定义在VU#317350讨论的有问题代码之后,这表示VU#317350漏洞较此缓冲区溢出之前被触发。这个漏洞发现在VU#317350漏洞解决之后。
        

- 公告与补丁

        厂商补丁:
        ISC
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,建议用户升级到DHCP 3.0.1rc14解决此问题,ISC DHCP 3版本将不在进行维护支持:
        ftp://ftp.isc.org/isc/dhcp/

- 漏洞信息

7238
ISC DHCP Daemon vsnprintf Function Multiple Overflows
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in ISC DHCP 3.0.1. The DHCP server uses the vsprintf()call instead of the vsnprintf()function resulting in a buffer overflow. With a specially crafted DHCP request, an attacker can cause supplied code to execute resulting in a loss of integrity.

- 时间线

2004-06-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.0.1rc14 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

ISC DHCPD VSPRINTF Buffer Overflow Vulnerability
Boundary Condition Error 10591
Yes No
2004-06-22 12:00:00 2009-07-12 05:16:00
Discovery is credited to Gregory Duchemin and Solar Designer.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
S.u.S.E. SuSE eMail Server III
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Office Server
S.u.S.E. Linux Firewall on CD
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Admin-CD for Firewall
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
Red Hat Fedora Core2
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
Mandriva Linux Mandrake 9.1 ppc
Mandriva Linux Mandrake 9.1
Mandriva Linux Mandrake 9.0
ISC DHCPD 3.0.1 rc13
ISC DHCPD 3.0.1 rc12
Infoblox DNS One Appliance 2.4 .0-8A
Infoblox DNS One Appliance 2.4 .0-8
Infoblox DNS One Appliance 2.3.1 -R5
ISC DHCPD 3.0.1 rc14

- 不受影响的程序版本

ISC DHCPD 3.0.1 rc14

- 漏洞讨论

ISC DHCPD is reported likely vulnerable to remotely exploitable buffer overflow vulnerabilities on systems which lack a vsnprintf() library function.

On systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as:
#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)

This definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call.

Other locations in DHCPD utilizing this function may be exploitable. Successfully exploiting this issue may lead to a denial of service condition, or remote code execution in the context of the DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Mandrake has released advisory MDKSA-2004:061 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

SuSE linux has released advisory SuSE-SA:2004:019 to address this and other issues. Please see the referenced advisory for further information.

Red Hat Fedora has released advisory FEDORA-2004-190 dealing with this and other issues. Please see the referenced advisory for more information.

OpenPKG has released an advisory (OpenPKG-SA-2004.031) to address this and other issues in dhcpd. Please see the referenced advisory for more information.

ISC has addressed this issue with the release of ISC DHCPD 3.0.1rc14.


ISC DHCPD 3.0.1 rc12

ISC DHCPD 3.0.1 rc13

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站