[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] dhcp remote exploit

remote exploit in ISC's dhcp version 3.0

Problem Description
ISC's DHCPD listens for requests from client machines connecting to the
network. Versions 3 to 3.0.1rc8 (inclusive) of DHCPD contains an option
(NSUPDATE) that is enabled by default. NSUPDATE allows the DHCP server to
send information about the host to the DNS server after processing a DHCP
request. The DNS server responds by sending an acknowledgement message back
to the DHCP server that may contain user-supplied data (like a host name).
When the DHCP server receives the acknowledgement message from the DNS server,
it logs the transaction. A format string vulnerability exists in ISC's DHCPD
code that logs the transaction. This vulnerability may permit a remote
attacker to execute code with the privileges of the DHCP daemon. 

Affected Systems
dhcp versions 3.0 to 3.0.1rc8 inclusive.
(To my knowledge only Mandrake is affected, but check the version of your
dhcp package to make sure)

upgrade to version 3.0p1 or version 3.0.1rc9 (or patched version for
your distribution)

Mandrake 7.2
rpm -Fvh dhcp-3.0b2pl9-4.1mdk.i586.rpm \
         dhcp-client-3.0b2pl9-4.1mdk.i586.rpm \

Mandrake 8.1
rpm -Fvh dhcp-client-3.0-0.rc12.2.1mdk.i586.rpm \
         dhcp-common-3.0-0.rc12.2.1mdk.i586.rpm \
         dhcp-devel-3.0-0.rc12.2.1mdk.i586.rpm \
         dhcp-relay-3.0-0.rc12.2.1mdk.i586.rpm \

Mandrake 8.2
rpm -Fvh dhcp-client-3.0-1rc8.2.1mdk.i586.rpm \
         dhcp-common-3.0-1rc8.2.1mdk.i586.rpm \
         dhcp-devel-3.0-1rc8.2.1mdk.i586.rpm \
         dhcp-relay-3.0-1rc8.2.1mdk.i586.rpm \