Alert

Multiple Vulnerabilities in ISC DHCP 3

Last Revised
Alert Code
TA04-174A

Systems Affected

  • ISC DHCP versions 3.0.1rc12 and 3.0.1rc13

Overview

Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a
denial of the DHCP service on a vulnerable system. It may be possible to
exploit these vulnerabilities to execute arbitrary code on the system.

Description

As described in RFC
2131
, "the Dynamic Host Configuration Protocol (DHCP) provides a
framework for passing configuration information to hosts on a TCP/IP
network." The Internet Systems Consortium's (ISC) Dynamic Host
Configuration Protocol (DHCP) 3 application contains two vulnerabilities
that present several potential buffer overflow conditions.

VU#317350 discusses
a buffer overflow vulnerability in the temporary storage of log lines.
In transactions, ISC DHCPD logs every DHCP packet along with several
pieces of descriptive information. The client's DISCOVER and the
resulting OFFER, REQUEST, ACK, and NAKs are all logged. In all of these
messages, if the client supplied a hostname, then it is also included
in the logged line. As part of the DHCP datagram format, a client may
specify multiple hostname options, up to 255 bytes per option. These
options are concatenated by the server. If the hostname and options
contain only ASCII characters, then the string will pass non-ASCII
character filters and be temporarily stored in 1024 byte fixed-length
buffers on the stack. If a client supplies enough hostname options, it
is possible to overflow the fixed-length buffer.

VU#654390 discusses C
include files for systems that do not support the bounds checking
vsnprintf() function. These files define the bounds checking vsnprintf()
to the non-bounds checking vsprintf() function. Since vsprintf() is a
function that does not check bounds, the size is discarded, creating the
potential for a buffer overflow when client data is supplied. Note that
the vsnprintf() statements are defined after the vulnerable code that is
discussed in VU#317350. Since the preconditions for this vulnerability
are similar to those required to exploit VU#317350, these buffer overflow
conditions occur sequentially in the code after the buffer overflow
vulnerability discussed in VU#317350, and these issues were discovered and
resolved at the same time, there is no known exploit path to exploit these
buffer overflow conditions caused by VU#654390. Note that VU#654390 was
discovered and exploitable once VU#317350 was resolved.

For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP
3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for all
operating systems and configurations. VU#654390 is only defined for the
following operating systems:

  • AIX
  • AlphaOS
  • Cygwin32
  • HP-UX
  • Irix
  • Linux
  • NextStep
  • SCO
  • SunOS 4
  • SunOS 5.5
  • Ultrix

All versions of ISC DCHP 3, including all snapshots, betas, and release
candidates, contain the flawed code. However, versions other than ISC DHCP
3.0.1rc12 and ISC DHCP 3.0.1rc13 discard all but the last hostname option
provided by the client, so it is not believed that these versions are
exploitable.

US-CERT is tracking these issues as VU#317350, which has been
assigned CVE CAN-2004-0460,
and VU#654390, which
has been assigned CVE CAN-2004-0461.

Impact

Exploitation of these vulnerabilities may cause a denial-of-service
condition to the DHCP daemon (DHCPD) and may permit a remote attacker to
execute arbitrary code on the system with the privileges of the DHCPD
process, typically root.

Solution

Apply patches or upgrade

These issues have been resolved in ISC DHCP 3.0.1rc14.
Your vendor may provide specific patches or updates. For vendor-specific
information, please see your vendor's site, or look for your
vendor infomation in VU#317350 and VU#654390. As
vendors report new information to US-CERT, we will update the
vulnerability notes.


Appendix A. References



US-CERT thanks Gregory Duchemin and Solar Designer for
discovering, reporting, and resolving this vulnerability. Thanks also to
David Hankins of ISC for notifying us of this vulnerability and the
technical information provided to create this document.


Feedback can be directed to the author: Jason
A. Rafail


Revision History

  • June 22, 2004: Initial release

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.