SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#317350

ISC DHCP contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only

Overview

The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. Exploitation of this vulnerability can cause a denial of service condition to the DHCP Daemon (DHCPD) and may permit a remote attacker to execute arbitrary code on the system with the privileges of the DHCPD process.

I. Description

As described in RFC 2131, "the Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network."

ISC DHCPD syslogs every DHCP packet in transactions along with several pieces of descriptive information. The client's DISCOVER and the resulting OFFER, REQUEST, and ACK are all logged as well as any NAKs. In all of these messages, if the client supplied a hostname then it is also included in the logged line. If the client supplies multiple hostname options these options will be concatenated together. If the hostname and options contain only ASCII characters, then the string will pass non-ASCII character filters and be temporarily stored in 1024 byte fixed-length buffers on the stack.

It is possible that if enough hostname options are supplied by the client, and other text is logged in the same line, then the static buffer will be overflown, writing over the stack. If non-ASCII or non-printable characters are supplied, then there are other checks and filters that will prevent this buffer overflow from occuring.

Only ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 are believed to be vulnerable for all operating systems and configurations. All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code. However, since these versions discard of all but the last hostname option provided by the client, it is not believed that these versions are exploitable.

II. Impact

A remote attacker with the ability to send a crafted packet to the DHCPD listening port (typically port 67/UDP), may be able to crash the ISC DHCP daemon, causing a denial of service. It may be possible to execute arbitrary code on the vulnerable server with the privileges of the DHCPD process (typically root).

III. Solution

ISC has released DHCP 3.0.1rc14 which resolves this issue. Versions prior to ISC DHCP 3 are no longer supported. All users of ISC DHCP are encouraged to update to the latest version.

Systems Affected

VendorStatusDate NotifiedDate Updated
3ComUnknown22-Jun-2004
AlcatelUnknown22-Jun-2004
Apple Computer Inc.Not Vulnerable22-Jun-2004
Aruba NetworksNot Vulnerable23-Jun-2004
AT&TUnknown22-Jun-2004
AvayaUnknown22-Jun-2004
Avici Systems Inc.Unknown22-Jun-2004
Charlotte's Web NetworksUnknown22-Jun-2004
Check PointNot Vulnerable22-Jun-2004
Chiaro NetworksNot Vulnerable22-Jun-2004
Cisco Systems Inc.Not Vulnerable24-Jun-2004
ConectivaUnknown22-Jun-2004
Cray Inc.Unknown22-Jun-2004
D-Link SystemsUnknown22-Jun-2004
Data ConnectionUnknown22-Jun-2004
DebianUnknown22-Jun-2004
EMC CorporationUnknown22-Jun-2004
EngardeUnknown22-Jun-2004
Extreme NetworksNot Vulnerable22-Jun-2004
F5 NetworksNot Vulnerable22-Jun-2004
Fedora ProjectVulnerable22-Jun-2004
Foundry Networks Inc.Unknown22-Jun-2004
FreeBSDUnknown22-Jun-2004
FujitsuUnknown22-Jun-2004
Hewlett-Packard CompanyNot Vulnerable22-Jun-2004
HitachiNot Vulnerable22-Jun-2004
HyperchipUnknown22-Jun-2004
IBMNot Vulnerable22-Jun-2004
IBM-zSeriesUnknown22-Jun-2004
IBM eServerUnknown22-Jun-2004
ImmunixUnknown22-Jun-2004
InfoBloxVulnerable13-Jul-2004
Ingrian NetworksUnknown22-Jun-2004
IntelUnknown22-Jun-2004
ISCVulnerable22-Jun-2004
Juniper NetworksNot Vulnerable22-Jun-2004
Lucent TechnologiesUnknown22-Jun-2004
LuminousUnknown22-Jun-2004
MandrakeSoftVulnerable23-Jun-2004
Microsoft CorporationNot Vulnerable23-Jun-2004
MontaVista SoftwareUnknown22-Jun-2004
Multi-Tech Systems Inc.Unknown22-Jun-2004
MultinetUnknown22-Jun-2004
NEC CorporationUnknown22-Jun-2004
NetBSDNot Vulnerable22-Jun-2004
NetScreenUnknown22-Jun-2004
Network ApplianceUnknown22-Jun-2004
NextHopUnknown22-Jun-2004
NokiaUnknown22-Jun-2004
NominumNot Vulnerable24-Jun-2004
Nortel NetworksUnknown22-Jun-2004
NovellUnknown22-Jun-2004
OpenBSDNot Vulnerable23-Jun-2004
Openwall GNU/*/LinuxNot Vulnerable23-Jun-2004
Red Hat Inc.Not Vulnerable22-Jun-2004
Redback Networks Inc.Not Vulnerable22-Jun-2004
Riverstone NetworksNot Vulnerable22-Jun-2004
SCOUnknown22-Jun-2004
SequentUnknown22-Jun-2004
SGIUnknown22-Jun-2004
Sony CorporationUnknown22-Jun-2004
Sun Microsystems Inc.Not Vulnerable22-Jun-2004
SuSE Inc.Vulnerable23-Jun-2004
TurboLinuxUnknown22-Jun-2004
UnisysUnknown22-Jun-2004
Wind River Systems Inc.Unknown22-Jun-2004
ZyXELUnknown22-Jun-2004

References


Credit

Thanks to Gregory Duchemin and Solar Designer for discovering, reporting and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.

This document was created by Jason A Rafail and based on the technical information provided by David Hankins of ISC.

Other Information

Date Public:2004-06-22
Date First Published:2004-06-22
Date Last Updated:2004-07-13
CERT Advisory: 
CVE-ID(s):CAN-2004-0460
NVD-ID(s):CAN-2004-0460
US-CERT Technical Alerts: 
Metric:25.51
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader