CVE-2004-1006
CVSS10.0
发布时间 :2005-03-01 00:00:00
修订时间 :2016-10-17 22:50:35
NMCOS    

[原文]Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702.


[CNNVD]ISC DHCP 格式化字符串漏洞(CNNVD-200503-007)

        ISC DHCP是一款动态主机配置协议软件。
        ISC DHCP日志记录功能存在一个格式化字符串问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        攻击者通过伪造DNS或者控制某个DNS来进行攻击,成功利用此漏洞,可能以DHCP进程权限执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:isc:dhcpd:3.0.1:rc3ISC DHCPD 3.0.1 rc3
cpe:/a:isc:dhcpd:3.0.1:rc4ISC DHCPD 3.0.1 rc4
cpe:/a:isc:dhcpd:3.0.1:rc1ISC DHCPD 3.0.1 rc1
cpe:/a:isc:dhcpd:3.0.1:rc2ISC DHCPD 3.0.1 rc2
cpe:/a:isc:dhcpd:3.0_b2pl23ISC DHCPD 3.0 b2pl23
cpe:/a:isc:dhcpd:3.0_pl1ISC DHCPD 3.0 pl1
cpe:/a:isc:dhcpd:3.0_b2pl9ISC DHCPD 3.0 b2pl9
cpe:/a:isc:dhcpd:2.0.pl5ISC DHCPD 2.0.pl5
cpe:/a:isc:dhcpd:3.0.1:rc11ISC DHCPD 3.0.1 rc11
cpe:/a:isc:dhcpd:3.0_pl2ISC DHCPD 3.0 pl2
cpe:/a:isc:dhcpd:3.0.1:rc10ISC DHCPD 3.0.1 rc10
cpe:/a:isc:dhcpd:3.0.1:rc13ISC DHCPD 3.0.1 rc13
cpe:/a:isc:dhcpd:3.0.1:rc12ISC DHCPD 3.0.1 rc12
cpe:/a:isc:dhcpd:3.0:rc12
cpe:/a:isc:dhcpd:3.0.1:rc14ISC DHCPD 3.0.1 rc14
cpe:/a:isc:dhcpd:3.0:rc4
cpe:/a:isc:dhcpd:3.0.1:rc7ISC DHCPD 3.0.1 rc7
cpe:/a:isc:dhcpd:3.0.1:rc8ISC DHCPD 3.0.1 rc8
cpe:/a:isc:dhcpd:3.0.1:rc5ISC DHCPD 3.0.1 rc5
cpe:/a:isc:dhcpd:3.0.1:rc6ISC DHCPD 3.0.1 rc6
cpe:/a:isc:dhcpd:3.0ISC DHCPD 3.0
cpe:/a:isc:dhcpd:3.0.1:rc9ISC DHCPD 3.0.1 rc9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1006
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1006
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-007
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html
(UNKNOWN)  BUGTRAQ  20041025 debian dhcpd, old format string bug
http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html
(UNKNOWN)  BUGTRAQ  20041102 Re: debian dhcpd, old format string bug
http://marc.info/?l=bugtraq&m=109968710822449&w=2
(UNKNOWN)  BUGTRAQ  20041105 Re: debian dhcpd, old format string bug
http://www.debian.org/security/2004/dsa-584
(VENDOR_ADVISORY)  DEBIAN  DSA-584
http://www.kb.cert.org/vuls/id/448384
(UNKNOWN)  CERT-VN  VU#448384
http://www.redhat.com/support/errata/RHSA-2005-212.html
(UNKNOWN)  REDHAT  RHSA-2005:212
http://www.securityfocus.com/bid/11591
(VENDOR_ADVISORY)  BID  11591
http://xforce.iss.net/xforce/xfdb/17963
(VENDOR_ADVISORY)  XF  dhcp-log-format-string(17963)

- 漏洞信息

ISC DHCP 格式化字符串漏洞
危急 格式化字符串
2005-03-01 00:00:00 2005-10-28 00:00:00
远程  
        ISC DHCP是一款动态主机配置协议软件。
        ISC DHCP日志记录功能存在一个格式化字符串问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        攻击者通过伪造DNS或者控制某个DNS来进行攻击,成功利用此漏洞,可能以DHCP进程权限执行任意指令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本
        :
        http://www.isc.org/index.pl?/sw/dhcp/

- 漏洞信息

11527
ISC DHCP errwarn.c Logging Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-11-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ISC DHCPD Remote Format String Vulnerability
Input Validation Error 11591
Yes No
2004-11-02 12:00:00 2009-07-12 08:06:00
Discovery of this vulnerability is credited to infamous41md@hotpop.com.

- 受影响的程序版本

RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
ISC DHCPD 3.0.1 rc9
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ OpenPKG OpenPKG 1.1
+ S.u.S.E. Linux 8.1
ISC DHCPD 3.0.1 rc8
ISC DHCPD 3.0.1 rc7
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
ISC DHCPD 3.0.1 rc6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
ISC DHCPD 3.0.1 rc5
ISC DHCPD 3.0.1 rc4
+ OpenPKG OpenPKG 1.0
ISC DHCPD 3.0.1 rc3
ISC DHCPD 3.0.1 rc2
ISC DHCPD 3.0.1 rc14
ISC DHCPD 3.0.1 rc13
ISC DHCPD 3.0.1 rc12
ISC DHCPD 3.0.1 rc11
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0.1 rc10
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0.1 rc1
ISC DHCPD 3.0 rc4
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
ISC DHCPD 3.0 rc12
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
ISC DHCPD 3.0 pl2
ISC DHCPD 3.0 pl1
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Slackware Linux 8.1
ISC DHCPD 3.0 b2pl9
+ Mandriva Linux Mandrake 7.2
ISC DHCPD 3.0 b2pl23
+ MandrakeSoft Single Network Firewall 7.2
ISC DHCPD 3.0
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
- S.u.S.E. Linux 8.0
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux Connectivity Server
- S.u.S.E. Linux Database Server 0
- S.u.S.E. Linux Enterprise Server for S/390
- S.u.S.E. SuSE eMail Server III
- SuSE SUSE Linux Enterprise Server 7
ISC DHCPD 2.0.pl5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
ISC DHCPD 3.0.2rc1

- 不受影响的程序版本

ISC DHCPD 3.0.2rc1

- 漏洞讨论

A remote format string vulnerability is reported in the ISC DHCPD server package. User supplied data is logged in an unsafe fashion. Exploitation of this vulnerability may result in arbitrary code being executed by the DHCP server. Although unconfirmed it is conjectured that this issue may only be exploitable when debugging functionality is enabled.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

It is reported that the vendor has released an update to address this vulnerability. This update is reported to be located at:
ftp://ftp.isc.org/isc/dhcp/dhcp-3.0.2rc1.tar.gz
This is not confirmed by Symantec, users are advised to contact the vendor for further information.

Debian has released an advisory (DSA 584-1) and fixes to address this issue. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.

RedHat Linux has released advisory RHSA-2005:212-06 to address this issue in RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information.

RedHat Fedora has released Fedora Legacy security advisory FLSA:152835 addressing this issue. Please see the referenced advisory for further information.


ISC DHCPD 2.0.pl5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站