J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: ISC DHCPD NSUPDATE Remote Format String Vulnerability

Severity: CRITICAL

Description:

The ISC DHCPD (Dynamic Host Configuration Protocol) is a collection of software implementing the DHCP protocol. It is available for a range of operating systems, including BSD and Solaris.

A remote format string vulnerability has been reported in multiple versions of the DHCPD server. User supplied data is logged in an unsafe fashion. Exploitation of this vulnerability may result in arbitrary code being executed by the DHCP server, which generally runs as the root user.

This vulnerability is a result of logging performed when a dns-update response is recieved from a DNS server. This functionality is configurable with the NSUPDATE compile time option, and enabled by default in version 3.0 and later of the DHCPD server.

A remote attacker may submit a malicious DHCP request to the vulnerable server. The server will then perform a dns-update request which includes attacker supplied data. The response that is returned by the DNS server also includes attacker supplied data. The response is then logged in an unsafe manner.

An attacker may construct a request such that the logged message includes format specifiers such as %n. This can result in arbitrary memory locations being overwritten, including return address data on the stack. As a result, exploitation may result in arbitrary code being executed by the DHCP server process.

Affected Products:

  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Conectiva Linux 8.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • ISC DHCPD 2.0.pl5
  • ISC DHCPD 3.0.0
  • ISC DHCPD 3.0.1 rc1
  • ISC DHCPD 3.0.1 rc2
  • ISC DHCPD 3.0.1 rc3
  • ISC DHCPD 3.0.1 rc4
  • ISC DHCPD 3.0.1 rc5
  • ISC DHCPD 3.0.1 rc6
  • ISC DHCPD 3.0.1 rc7
  • ISC DHCPD 3.0.1 rc8
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Multi Network Firewall 2.0.0
  • OpenPKG OpenPKG 1.0.0
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.0.0 i386

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.