Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
19 vulnerabilities found for dhcpd by isc
VAR-201104-0082
Vulnerability from variot - Updated: 2026-03-09 22:43dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. The ISC dhclient contains a vulnerability that could allow a remote attacker to execute arbitrary code on the client machine. Apple From Apple Time Capsule and AirPort Base Station (802.11n) Firmware update for has been released.Crafted DHCP Any command may be executed by processing the response. Depending on the script and OS, this can result in execution of exploit code on the client.
CVSS Score: 6.8 (AV:A/AC:L/Au:N/C:P/I:N/A:C)
For more information on CVSS scores, visit http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Workarounds:
On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp.
Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:
new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}
In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers.
Active exploits:
None known at this time. https://www.isc.org/downloads/all
No patch is available for 4.0.x as it is EOL. Anyone running 4.1.x should upgrade to 4.1-ESV-R2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Debian Security Advisory DSA-2216-1 security@debian.org http://www.debian.org/security/ Nico Golde April 10, 2011 http://www.debian.org/security/faq
Package : isc-dhcp Vulnerability : missing input sanitization Problem type : remote Debian-specific: no CVE ID : CVE-2011-0997 Debian bug : 621099
Sebastian Krahmer and Marius Tomaschewski discovered that dhclient of isc-dhcp, a DHCP client, is not properly filtering shell meta-characters in certain options in DHCP server responses. These options are reused in an insecure fashion by dhclient scripts.
For the oldstable distribution (lenny), this problem has been fixed in additional update for dhcp3.
For the stable distribution (squeeze), this problem has been fixed in version 4.1.1-P1-15+squeeze2.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 4.1.1-P1-16.1.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2iJ1AACgkQHYflSXNkfP8fEwCglH3YEMa8hlo7ChGFlvT7K9v5 BMcAoIuGqJofENG1o5SiXU1/E9qEF/Am =5Q/C -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201301-06
http://security.gentoo.org/
Severity: Normal Title: ISC DHCP: Denial of Service Date: January 09, 2013 Bugs: #362453, #378799, #393617, #398763, #428120, #434880 ID: 201301-06
Synopsis
Multiple vulnerabilities have been found in ISC DHCP, the worst of which may allow remote Denial of Service.
Background
ISC DHCP is a Dynamic Host Configuration Protocol (DHCP) client/server.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/dhcp < 4.2.4_p2 >= 4.2.4_p2
Description
Multiple vulnerabilities have been discovered in ISC DHCP. Please review the CVE identifiers referenced below for details.
Resolution
All ISC DHCP users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.2.4_p2"
References
[ 1 ] CVE-2011-0997 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0997 [ 2 ] CVE-2011-2748 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2748 [ 3 ] CVE-2011-2749 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2749 [ 4 ] CVE-2011-4539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4539 [ 5 ] CVE-2011-4868 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4868 [ 6 ] CVE-2012-3570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3570 [ 7 ] CVE-2012-3571 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3571 [ 8 ] CVE-2012-3954 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3954 [ 9 ] CVE-2012-3955 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3955
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201301-06.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 . This issue is addressed by stripping shell meta-characters in dhclient-script.
It is recommended that AirPort Utility 5.5.3 or later be installed before upgrading to Firmware version 7.6. ----------------------------------------------------------------------
Q1 Factsheets released:
http://secunia.com/resources/factsheets/2011_vendor/
TITLE: ISC DHCP "dhclient" Response Processing Input Sanitation Vulnerability
SECUNIA ADVISORY ID: SA44037
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44037/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44037
RELEASE DATE: 2011-04-07
DISCUSS ADVISORY: http://secunia.com/advisories/44037/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/44037/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44037
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: A vulnerability has been reported in ISC DHCP, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to certain shell meta-characters not being stripped or escaped when processing responses from a DHCP server. This can be exploited to submit shell commands to the "dhclient-script" script via e.g. a specially crafted "hostname" response.
The vulnerability is reported in versions 3.0.x through 4.2.x.
SOLUTION: Update to version 3.1-ESV-R1 and 4.1-ESV-R2 or 4.2.1-P1.
Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY: The vendor credits Sebastian Krahmer and Marius Tomaschewski, SUSE Security Team.
ORIGINAL ADVISORY: https://www.isc.org/software/dhcp/advisories/cve-2011-0997
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.6,
"vendor": "isc",
"version": "4.2.0"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.6,
"vendor": "isc",
"version": "4.1-esv"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.6,
"vendor": "isc",
"version": "4.2.1"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "10.04"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.2"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.6"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.1"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "6.06"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.3"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.1.3"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "9.10"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.1.2"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "10.10"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.5"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.1.0"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "7.0"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "8.04"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.1.1"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "5.0"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.1-esv"
},
{
"_id": null,
"model": "dhcp",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.4"
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian gnu linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "internet consortium",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "mandriva s a",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "slackware linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ubuntu",
"version": null
},
{
"_id": null,
"model": "airmac base station",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "7.6"
},
{
"_id": null,
"model": "time capsule",
"scope": null,
"trust": 0.8,
"vendor": "apple",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#107886"
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
},
{
"db": "NVD",
"id": "CVE-2011-0997"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:airport_base_station_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:time_capsule",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
}
]
},
"credits": {
"_id": null,
"data": "Debian",
"sources": [
{
"db": "PACKETSTORM",
"id": "100273"
},
{
"db": "PACKETSTORM",
"id": "100274"
}
],
"trust": 0.2
},
"cve": "CVE-2011-0997",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2011-0997",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2011-0997",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#107886",
"trust": 0.8,
"value": "11.34"
},
{
"author": "NVD",
"id": "CVE-2011-0997",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201104-043",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2011-0997",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#107886"
},
{
"db": "VULMON",
"id": "CVE-2011-0997"
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
},
{
"db": "NVD",
"id": "CVE-2011-0997"
}
]
},
"description": {
"_id": null,
"data": "dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. The ISC dhclient contains a vulnerability that could allow a remote attacker to execute arbitrary code on the client machine. Apple From Apple Time Capsule and AirPort Base Station (802.11n) Firmware update for has been released.Crafted DHCP Any command may be executed by processing the response. Depending on the script and OS, this can result in execution of exploit code on the client. \n\nCVSS Score: 6.8 (AV:A/AC:L/Au:N/C:P/I:N/A:C)\n\nFor more information on CVSS scores, visit http://nvd.nist.gov/cvss.cfm?calculator\u0026adv\u0026version=2 \n\nWorkarounds: \n\nOn SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME=\"no\" in /etc/sysconfig/network/dhcp. \n\nOther systems may add following line to dhclient-script at the beginning of the set_hostname() function:\n\nnew_host_name=${new_host_name//[^-.a-zA-Z0-9]/}\n\nIn environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers. \n\n\nActive exploits: \n\nNone known at this time. https://www.isc.org/downloads/all\n\nNo patch is available for 4.0.x as it is EOL. Anyone running 4.1.x should upgrade to 4.1-ESV-R2. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2216-1 security@debian.org\nhttp://www.debian.org/security/ Nico Golde\nApril 10, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : isc-dhcp\nVulnerability : missing input sanitization\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-0997\nDebian bug : 621099\n\nSebastian Krahmer and Marius Tomaschewski discovered that dhclient of\nisc-dhcp, a DHCP client, is not properly filtering shell meta-characters\nin certain options in DHCP server responses. These options are reused in\nan insecure fashion by dhclient scripts. \n\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nadditional update for dhcp3. \n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 4.1.1-P1-15+squeeze2. \n\nFor the testing distribution (wheezy), this problem will be fixed soon. \n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.1.1-P1-16.1. \n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niEYEARECAAYFAk2iJ1AACgkQHYflSXNkfP8fEwCglH3YEMa8hlo7ChGFlvT7K9v5\nBMcAoIuGqJofENG1o5SiXU1/E9qEF/Am\n=5Q/C\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201301-06\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: ISC DHCP: Denial of Service\n Date: January 09, 2013\n Bugs: #362453, #378799, #393617, #398763, #428120, #434880\n ID: 201301-06\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in ISC DHCP, the worst of\nwhich may allow remote Denial of Service. \n\nBackground\n==========\n\nISC DHCP is a Dynamic Host Configuration Protocol (DHCP) client/server. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-misc/dhcp \u003c 4.2.4_p2 \u003e= 4.2.4_p2\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in ISC DHCP. Please\nreview the CVE identifiers referenced below for details. \n\nResolution\n==========\n\nAll ISC DHCP users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/dhcp-4.2.4_p2\"\n\nReferences\n==========\n\n[ 1 ] CVE-2011-0997\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0997\n[ 2 ] CVE-2011-2748\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2748\n[ 3 ] CVE-2011-2749\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2749\n[ 4 ] CVE-2011-4539\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4539\n[ 5 ] CVE-2011-4868\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4868\n[ 6 ] CVE-2012-3570\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3570\n[ 7 ] CVE-2012-3571\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3571\n[ 8 ] CVE-2012-3954\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3954\n[ 9 ] CVE-2012-3955\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3955\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201301-06.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2013 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. This issue is addressed by stripping shell meta-characters\nin dhclient-script. \n\nIt is recommended that AirPort Utility 5.5.3 or later be installed\nbefore upgrading to Firmware version 7.6. ----------------------------------------------------------------------\n\n\nQ1 Factsheets released:\n\nhttp://secunia.com/resources/factsheets/2011_vendor/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nISC DHCP \"dhclient\" Response Processing Input Sanitation\nVulnerability\n\nSECUNIA ADVISORY ID:\nSA44037\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/44037/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=44037\n\nRELEASE DATE:\n2011-04-07\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/44037/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/44037/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=44037\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nA vulnerability has been reported in ISC DHCP, which can be exploited\nby malicious people to compromise a vulnerable system. \n\nThe vulnerability is caused due to certain shell meta-characters not\nbeing stripped or escaped when processing responses from a DHCP\nserver. This can be exploited to submit shell commands to the\n\"dhclient-script\" script via e.g. a specially crafted \"hostname\"\nresponse. \n\nThe vulnerability is reported in versions 3.0.x through 4.2.x. \n\nSOLUTION:\nUpdate to version 3.1-ESV-R1 and 4.1-ESV-R2 or 4.2.1-P1. \n\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nPROVIDED AND/OR DISCOVERED BY:\nThe vendor credits Sebastian Krahmer and Marius Tomaschewski, SUSE\nSecurity Team. \n\nORIGINAL ADVISORY:\nhttps://www.isc.org/software/dhcp/advisories/cve-2011-0997\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-0997"
},
{
"db": "CERT/CC",
"id": "VU#107886"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
},
{
"db": "VULMON",
"id": "CVE-2011-0997"
},
{
"db": "PACKETSTORM",
"id": "100160"
},
{
"db": "PACKETSTORM",
"id": "100273"
},
{
"db": "PACKETSTORM",
"id": "119354"
},
{
"db": "PACKETSTORM",
"id": "106987"
},
{
"db": "PACKETSTORM",
"id": "100274"
},
{
"db": "PACKETSTORM",
"id": "100149"
}
],
"trust": 2.97
},
"external_ids": {
"_id": null,
"data": [
{
"db": "CERT/CC",
"id": "VU#107886",
"trust": 3.3
},
{
"db": "NVD",
"id": "CVE-2011-0997",
"trust": 3.1
},
{
"db": "SECUNIA",
"id": "44037",
"trust": 1.9
},
{
"db": "VUPEN",
"id": "ADV-2011-1000",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0909",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0915",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0926",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0965",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0879",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0886",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "44103",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "44127",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "44048",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "44180",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "44089",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "44090",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1025300",
"trust": 1.7
},
{
"db": "JUNIPER",
"id": "JSA10761",
"trust": 1.7
},
{
"db": "BID",
"id": "47176",
"trust": 1.7
},
{
"db": "OSVDB",
"id": "71493",
"trust": 1.7
},
{
"db": "EXPLOIT-DB",
"id": "37623",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2011-0997",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "100160",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "100273",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "119354",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "106987",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "100274",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "100149",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#107886"
},
{
"db": "VULMON",
"id": "CVE-2011-0997"
},
{
"db": "PACKETSTORM",
"id": "100160"
},
{
"db": "PACKETSTORM",
"id": "100273"
},
{
"db": "PACKETSTORM",
"id": "119354"
},
{
"db": "PACKETSTORM",
"id": "106987"
},
{
"db": "PACKETSTORM",
"id": "100274"
},
{
"db": "PACKETSTORM",
"id": "100149"
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
},
{
"db": "NVD",
"id": "CVE-2011-0997"
}
]
},
"id": "VAR-201104-0082",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.413494225
},
"last_update_date": "2026-03-09T22:43:44.086000Z",
"patch": {
"_id": null,
"data": [
{
"title": "HT5005",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT5005"
},
{
"title": "ISC DHCP dhclient Response processing shell Measures to fix meta-character code execution vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113225"
},
{
"title": "Debian CVElist Bug Report Logs: isc-dhcp-client: CVE-2011-0997",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=a3bf1099a3f6410da5cb17491cb28710"
},
{
"title": "Ubuntu Security Notice: dhcp3 vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-1108-2"
},
{
"title": "Ubuntu Security Notice: dhcp3 vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-1108-1"
},
{
"title": "Debian Security Advisories: DSA-2216-1 isc-dhcp -- missing input sanitization",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=9079594e67dfba2ce5fd90c652ce64af"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2011-2716 udhcpc insufficient checking of DHCP options",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=d937c5addcd54815f7f0480b4b3a55e2"
},
{
"title": "VMware Security Advisories: VMware ESX third party updates for Service Console packages glibc and dhcp",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=vmware_security_advisories\u0026qid=386db0c9014e75eeed9029418ea6714f"
},
{
"title": "Citrix Security Bulletins: Archive: Citrix XenServer Multiple Security Updates",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=citrix_security_bulletins\u0026qid=30a988053a9b9c888e66371d7b3040f2"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/critical-rce-bug-avaya-voip-phones/147122/"
},
{
"title": "BleepingComputer",
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/avaya-voip-phones-harbored-10-year-old-vulnerability/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2011-0997"
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
},
{
"db": "NVD",
"id": "CVE-2011-0997"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.6,
"url": "http://www.kb.cert.org/vuls/id/107886"
},
{
"trust": 1.8,
"url": "http://security.gentoo.org/glsa/glsa-201301-06.xml"
},
{
"trust": 1.8,
"url": "https://www.isc.org/software/dhcp/advisories/cve-2011-0997"
},
{
"trust": 1.7,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10761"
},
{
"trust": 1.7,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-april/057888.html"
},
{
"trust": 1.7,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-april/058279.html"
},
{
"trust": 1.7,
"url": "http://marc.info/?l=bugtraq\u0026m=133226187115472\u0026w=2"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44037"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44048"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44089"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44090"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44103"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44127"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/44180"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1025300"
},
{
"trust": 1.7,
"url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2011\u0026m=slackware-security.593345"
},
{
"trust": 1.7,
"url": "http://www.debian.org/security/2011/dsa-2216"
},
{
"trust": 1.7,
"url": "http://www.debian.org/security/2011/dsa-2217"
},
{
"trust": 1.7,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2011:073"
},
{
"trust": 1.7,
"url": "http://www.osvdb.org/71493"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2011-0428.html"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2011-0840.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/47176"
},
{
"trust": 1.7,
"url": "http://www.ubuntu.com/usn/usn-1108-1"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0879"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0886"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0909"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0915"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0926"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0965"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/1000"
},
{
"trust": 1.7,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=689832"
},
{
"trust": 1.7,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66580"
},
{
"trust": 1.7,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a12812"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/37623/"
},
{
"trust": 0.8,
"url": "about vulnerability notes"
},
{
"trust": 0.8,
"url": "contact us about this vulnerability"
},
{
"trust": 0.8,
"url": "provide a vendor statement"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-0997"
},
{
"trust": 0.8,
"url": "https://jvn.jp/cert/jvnvu107886/"
},
{
"trust": 0.8,
"url": "https://jvn.jp/cert/jvnvu309451/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-0997"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-0997"
},
{
"trust": 0.2,
"url": "http://secunia.com/"
},
{
"trust": 0.2,
"url": "http://www.debian.org/security/faq"
},
{
"trust": 0.2,
"url": "http://www.debian.org/security/"
},
{
"trust": 0.2,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621099"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/vulnerabilities/linuxrpm-rhsa-2011-0428"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/1108-2/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.isc.org/downloads/all"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/cvss.cfm?calculator\u0026adv\u0026version=2"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2748"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-0997"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3955"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3571"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3954"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-4539"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3570"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-4868"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3954"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-4539"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2749"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2749"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3570"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3955"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3571"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2748"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-4868"
},
{
"trust": 0.1,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1222"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=44037"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/44037/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/44037/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/resources/factsheets/2011_vendor/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#107886"
},
{
"db": "VULMON",
"id": "CVE-2011-0997"
},
{
"db": "PACKETSTORM",
"id": "100160"
},
{
"db": "PACKETSTORM",
"id": "100273"
},
{
"db": "PACKETSTORM",
"id": "119354"
},
{
"db": "PACKETSTORM",
"id": "106987"
},
{
"db": "PACKETSTORM",
"id": "100274"
},
{
"db": "PACKETSTORM",
"id": "100149"
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066"
},
{
"db": "NVD",
"id": "CVE-2011-0997"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CERT/CC",
"id": "VU#107886",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2011-0997",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "100160",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "100273",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "119354",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "106987",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "100274",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "100149",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003066",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2011-0997",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2011-04-05T00:00:00",
"db": "CERT/CC",
"id": "VU#107886",
"ident": null
},
{
"date": "2011-04-08T00:00:00",
"db": "VULMON",
"id": "CVE-2011-0997",
"ident": null
},
{
"date": "2011-04-07T15:19:36",
"db": "PACKETSTORM",
"id": "100160",
"ident": null
},
{
"date": "2011-04-11T14:45:39",
"db": "PACKETSTORM",
"id": "100273",
"ident": null
},
{
"date": "2013-01-09T02:26:37",
"db": "PACKETSTORM",
"id": "119354",
"ident": null
},
{
"date": "2011-11-15T05:14:36",
"db": "PACKETSTORM",
"id": "106987",
"ident": null
},
{
"date": "2011-04-11T14:46:07",
"db": "PACKETSTORM",
"id": "100274",
"ident": null
},
{
"date": "2011-04-06T08:45:32",
"db": "PACKETSTORM",
"id": "100149",
"ident": null
},
{
"date": "2011-04-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201104-043",
"ident": null
},
{
"date": "2011-11-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-003066",
"ident": null
},
{
"date": "2011-04-08T15:17:27.387000",
"db": "NVD",
"id": "CVE-2011-0997",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2011-05-06T00:00:00",
"db": "CERT/CC",
"id": "VU#107886",
"ident": null
},
{
"date": "2020-04-01T00:00:00",
"db": "VULMON",
"id": "CVE-2011-0997",
"ident": null
},
{
"date": "2020-04-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201104-043",
"ident": null
},
{
"date": "2011-11-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-003066",
"ident": null
},
{
"date": "2025-04-11T00:51:21.963000",
"db": "NVD",
"id": "CVE-2011-0997",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "100160"
},
{
"db": "PACKETSTORM",
"id": "119354"
},
{
"db": "PACKETSTORM",
"id": "106987"
},
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
}
],
"trust": 0.9
},
"title": {
"_id": null,
"data": "ISC dhclient vulnerability",
"sources": [
{
"db": "CERT/CC",
"id": "VU#107886"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201104-043"
}
],
"trust": 0.6
}
}
VAR-200408-0174
Vulnerability from variot - Updated: 2025-04-03 22:09Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file. The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. Infoblox of dns one appliance Unspecified vulnerabilities exist in products from multiple vendors.None. This issue exists in routines responsible for logging hostname options provided by DHCP clients. This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. The vulnerable code exists in previous versions of ISC DHCPD 3, but is only believed to be exploitable in these two releases. ISC DHCPD uses syslog to record each transmitted DHCP packet, client's DISCOVER and result OFFER, REQUEST and ACK, and any NAK will be recorded. middle. However, if non-ACSII or non-printable characters are provided, other checks and filters will be performed to prevent overflow. Carefully constructed and submitted data may execute arbitrary commands on the system with the rights of the DHCPD process.
Secunia is proud to announce the availability of the Secunia Software Inspector.
The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor.
Try it out online: http://secunia.com/software_inspector/
TITLE: XEROX WorkCentre Products Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA23265
VERIFY ADVISORY: http://secunia.com/advisories/23265/
CRITICAL: Moderately critical
IMPACT: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
WHERE:
From local network
OPERATING SYSTEM: Xerox WorkCentre http://secunia.com/product/4746/ Xerox WorkCentre Pro http://secunia.com/product/4553/
DESCRIPTION: Some vulnerabilities and weaknesses have been reported in various XEROX WorkCentre products, which can be exploited by malicious people to bypass certain security restrictions, expose certain sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.
1) Input passed to the TCP/IP hostname, the Scan-to-mailbox folder name field, and to the Microsoft Network configuration parameters in the Web User interface is not properly sanitised.
2) Certain browser settings may allow unauthorized access. Additionally, an unspecified vulnerability in the Web User Interface can be exploited to bypass the authentication.
3) The TFTP/BOOTP auto configuration can be exploited to manipulate certain configuration settings.
4) An unspecified error within the handling of email signatures can be exploited to display improper items.
5) Requests to web services can be made through HTTP instead of HTTPS. Other unspecified HTTP security issues and a httpd.conf misconfiguration are also reported.
6) An error within the Scan-to-mailbox feature can be exploited to anonymously download secure files. Additionally, it is possible to anonymously download audit log files.
7) The system fails to keep accurate time resulting in incorrect time stamps in audit logs.
8) The embedded Samba version contains various vulnerabilities. Additionally, the SMB "Homes" share is visible and it's possible to browse the file system via SMB.
9) The SNMP agent does not return errors for non-writable objects. Additionally, authentication failure traps can't be enabled or generated.
10) An error within ops3-dmn can be exploited to crash the service and cause a DoS by attaching a PS script.
11) It is possible to bypass the security restriction and boot Alchemy by e.g. using an USB thumb drive.
12) The "Validate Repository SSL Certificate" scan feature does not verify the FQDN.
13) Certain problems with the Immediate Image Overwrite and On Demand Image Overwrite, a Postgress port block, and a http TRACE XSS attack in the network controller are reported.
14) Two boundary errors within the embedded DHCP implementation can be exploited to cause a buffer overflow, which may allow execution of arbitrary code.
SOLUTION: Apply updated software (see vendor advisories for detailed instructions).
PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
ORIGINAL ADVISORY: Xerox: http://www.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1b.pdf http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Technical Cyber Security Alert TA04-174A
Multiple Vulnerabilities in ISC DHCP 3
Original release date: June 22, 2004 Last revised: -- Source: US-CERT
Systems Affected
* ISC DHCP versions 3.0.1rc12 and 3.0.1rc13
Overview
Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a denial of the DHCP service on a vulnerable system. It may be possible to exploit these vulnerabilities to execute arbitrary code on the system.
I. In transactions, ISC DHCPD logs every DHCP packet along with several pieces of descriptive information. The client's DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are all logged. In all of these messages, if the client supplied a hostname, then it is also included in the logged line. These options are concatenated by the server. If the hostname and options contain only ASCII characters, then the string will pass non-ASCII character filters and be temporarily stored in 1024 byte fixed-length buffers on the stack. If a client supplies enough hostname options, it is possible to overflow the fixed-length buffer.
VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. Since the preconditions for this vulnerability are similar to those required to exploit VU#317350, these buffer overflow conditions occur sequentially in the code after the buffer overflow vulnerability discussed in VU#317350, and these issues were discovered and resolved at the same time, there is no known exploit path to exploit these buffer overflow conditions caused by VU#654390. Note that VU#654390 was discovered and exploitable once VU#317350 was resolved. VU#317350 is exploitable for all operating systems and configurations. VU#654390 is only defined for the following operating systems:
* AIX
* AlphaOS
* Cygwin32
* HP-UX
* Irix
* Linux
* NextStep
* SCO
* SunOS 4
* SunOS 5.5
* Ultrix
All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code.
US-CERT is tracking these issues as VU#317350, which has been assigned CVE CAN-2004-0460, and VU#654390, which has been assigned CVE CAN-2004-0461.
II.
III. Solution
Apply patches or upgrade
These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may provide specific patches or updates. For vendor-specific information, please see your vendor's site, or look for your vendor infomation in VU#317350 and VU#654390. As vendors report new information to US-CERT, we will update the vulnerability notes.
Appendix B. References
* http://www.isc.org/sw/dhcp/
* http://www.kb.cert.org/vuls/id/317350
* http://www.kb.cert.org/vuls/id/654390
US-CERT thanks Gregory Duchemin and Solar Designer for discovering, reporting, and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.
Feedback can be directed to the author: Jason A. Rafail
The latest version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-174A.html>
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
Revision History
June 22, 2004: Initial release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA2HFSXlvNRxAkFWARArH4AKDtUECQTE5HXmvsDQkwcWn9r7uAowCdGTHq AqWt3CgdEPJcIFDbJlIWQHo= =HSxN -----END PGP SIGNATURE----- . This mail also includes a trace of such DHCP REQUEST.
Other .bss overflows related to vsnprintf and identified later during our investigations as described in: http://www.kb.cert.org/vuls/id/654390 can be triggered the exact same way. Note that the home made tool i am referencing in this email will be made available very soon and already includes ISC, INFOBLOX and DLINK dhcp vulnerabilities I will drop a note here when it is finally released. cheers, Gregory
Special thanks to Solar Designer and David W.Hankins (ISC)
--- Original email ------
Summary:
i have discovered several stack based overflow in your dhcp-3.0.1rc12 and rc13 (may be others, have not checked) these vulnerabilities can be easily triggered by crafting a dhcp discover or request packet which carries several hostname dhcp options that ,once reassembled by the daemon (as explained in rfc 3396), overflow a stack based variable causing the daemon to crash. I believe than one might execute code remotely on the server with the same user account dhcpd is running with, root in most cases. I have been able at some points during the tests, to control eip' 4 bytes (intel 32bits arch), it was during the ddns forward update operation. Note that all tests have been made on a linux 2.4.20-24.9 using a home made tool to generate custom dhcp traffic
Now an example:
see dhcpd.conf in attachment if you need it.
structure of an offending packet (case of a dhcp request based attack)
DHCP request from 0.0.0.0:68 (ff:ff:ff:ff:ff:ff) to 255.255.255.255:67 (ff:ff:ff:ff:ff:ff)
op : BOOT REQUEST (1) htype : Ethernet (10Mb) (1) hlen : 6 hops : 0 xid : 0x00000000 secs : 1 flags : UNICAST (0x0000) ciaddr : 0.0.0.0 yiaddr : 0.0.0.0 siaddr : 255.255.255.255 giaddr : 0.0.0.0 chaddr : ff:ff:ff:ff:ff:ff sname : file : cookie : 0x63825363 (RFC 1497/2132, BOOTP Vendor informations/DHCP options) DHCP option (053 [0x35]) : MESSAGE_TYPE : REQUEST BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA DHCP option (050 [0x32]) : REQUEST_IP : 192.168.0.99
sending this packet to the ptraced daemon (within gdb) gives:
(gdb) run -f -d The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/sbin/dhcpd -f -d Internet Software Consortium DHCP Server V3.0.1rc13 Copyright 1995-2003 Internet Software Consortium. All rights reserved. For info, please visit http://www.isc.org/products/DHCP Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 0 leases to leases file. Listening on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24 Sending on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24 Sending on Socket/fallback/fallback-net Unable to add forward map from bobAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-1022AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8 860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-284AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1. 92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X 1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.
Program received signal SIGSEGV, Segmentation fault. 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, name=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at hash.c:363 363 hashno = (*table -> do_hash) (name, len, table -> hash_count); (gdb)
backtracing stack show:
(gdb) bt
0 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50,
name=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at hash.c:363
1 0x0806fb0a in lease_hash_lookup (ptr=0xbfffde24, table=0x38322d50,
buf=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at mdb.c:2055
2 0x0806eb5b in find_lease_by_hw_addr (lp=0xbfffde24, hwaddr=0x8149dac
"\001\xff\xff\xff\xff\xff\xff", hwlen=7, file=0x80bbe25 "mdb.c", line=1662) at mdb.c:1574
3 0x0806ee5f in hw_hash_add (lease=0x8149d30) at mdb.c:1661
4 0x0806d959 in supersede_lease (comp=0x8149d30, lease=0x811def8,
commit=1, propogate=1, pimmediate=1) at mdb.c:969
5 0x08050cb9 in ack_lease (packet=0x811d6e0, lease=0x8149d30, offer=5,
when=0, msg=0xbfffdfd0 "DHCPREQUEST for 192.168.0.99 from ff:ff:ff:ff:ff:ff via eth0", ms_nulltp=0) at dhcp.c:2227
6 0x0804d041 in dhcprequest (packet=0x811d6e0, ms_nulltp=0,
ip_lease=0x0) at dhcp.c:662
7 0x0804c37d in dhcp (packet=0x811d6e0) at dhcp.c:224
8 0x08088d9a in do_packet (interface=0x811d568, packet=0xbfffe580,
len=1430, from_port=17408, from= {len = 4, iabuf = '\0' }, hfrom=0xbffff5b0) at options.c:2237
9 0x08096718 in got_one (h=0x811d568) at discover.c:785
10 0x080a937e in omapi_one_dispatch (wo=0x0, t=0x0) at dispatch.c:418
11 0x0807cce3 in dispatch () at dispatch.c:103
12 0x0804add1 in main (argc=3, argv=0xbffff904, envp=0xbffff914) at
dhcpd.c:614
13 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
(gdb)
Note that the daemon may actually crash at a different location depending of the first corrupted structure it meets and therefore, of the size of the malicious option sent, along with the context (type of packet, leases in use etc...)
Problems in the source: I have spent quite some time to find out where the overflow actually takes its roots, here are my findings:
file server/dhcp.c: function dhcprequest :
char msgbuf [1024]; /* XXX */
char *s;
....
if (lease && lease -> client_hostname && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else s = (char *)0;
......
sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s", piaddr (cip), smbuf, (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, packet -> raw -> hlen, packet -> raw -> chaddr) : (lease ? print_hex_1 (lease -> uid_len, lease -> uid, lease -> uid_len) : "")), s ? "(" : "", s ? s : "", s ? ") " : "", packet -> raw -> giaddr.s_addr ? inet_ntoa (packet -> raw -> giaddr) : packet -> interface -> name);
To summarize, s is referencing the reassembled hostname option passed to the daemon, afterwhat it is used as is in sprintf and stored in msgbuf (fixed size) without any length checking. local msgbuf can obviously be overrun, corrupting various structures in stack and eventually causing the server to crash Note that the call to db_printable( ), filtering hostname, may render the task harder to root a server but likely not impossible. Also being able to corrupt structures like lease or oc may have interesting side effects from an attacker perspective.
void dhcprequest (packet, ms_nulltp, ip_lease) struct packet packet; int ms_nulltp; struct lease ip_lease; { struct lease lease; struct iaddr cip; struct iaddr sip; struct subnet subnet; int ours = 0; struct option_cache oc; struct data_string data; int status; char msgbuf [1024]; / XXX / char s; char smbuf [19];
....
the very same problem is present in dhcpdiscover( ), dhcpdecline( ),
dhcprequest( ) , dhcprelease( ), ...
please look at the diff in unified format, attached to this email, for a
detailed list
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200408-0174",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "fedora",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "infoblox",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "mandrakesoft",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "suse",
"version": null
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.6,
"vendor": "mandrakesoft",
"version": "9.2"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.6,
"vendor": "mandrakesoft",
"version": "9.1"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.6,
"vendor": "mandrakesoft",
"version": "9.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "suse",
"version": "8.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "suse",
"version": "8.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "9.0"
},
{
"model": "linux firewall cd",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.4.0.8"
},
{
"model": "linux connectivity server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "10.0"
},
{
"model": "fedora core",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "core_2.0"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.3.1_r5"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "8.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "9.1"
},
{
"model": "linux database server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "dhcpd",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.4.0.8a"
},
{
"model": "linux admin-cd for firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "email server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "iii"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "8"
},
{
"model": "linux office server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "isc",
"version": null
},
{
"model": "email server",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "linux database server",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "linux firewall cd",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "linux admin-cd for firewall",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "dhcpd",
"scope": null,
"trust": 0.8,
"vendor": "isc",
"version": null
},
{
"model": "dns one appliance",
"scope": null,
"trust": 0.8,
"vendor": "infoblox",
"version": null
},
{
"model": "mandrake linux",
"scope": null,
"trust": 0.8,
"vendor": "mandrakesoft",
"version": null
},
{
"model": "fedora core",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "linux office server",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "linux",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "linux connectivity server",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "8"
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "7"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "8.0"
},
{
"model": "suse email server iii",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.1"
},
{
"model": "linux personal x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "8.2"
},
{
"model": "linux office server",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux firewall on cd",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux database server",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "0"
},
{
"model": "linux connectivity server",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux admin-cd for firewall",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "fedora core2",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "linux mandrake amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "10.0"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "10.0"
},
{
"model": "linux mandrake amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.2"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.2"
},
{
"model": "linux mandrake ppc",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.0"
},
{
"model": "dhcpd rc13",
"scope": "eq",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dhcpd rc12",
"scope": "eq",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dns one appliance .0-8a",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.4"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.4.0-8"
},
{
"model": "dns one appliance -r5",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.3.1"
},
{
"model": "dhcpd rc14",
"scope": "ne",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "BID",
"id": "10590"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gregory Duchemin\u203b c3rb3r@hotmail.com\u203bSolar Designer\u203b solar@openwall.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
}
],
"trust": 0.6
},
"cve": "CVE-2004-0460",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2004-0460",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-8890",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2004-0460",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#317350",
"trust": 0.8,
"value": "25.52"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#654390",
"trust": 0.8,
"value": "14.21"
},
{
"author": "NVD",
"id": "CVE-2004-0460",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200408-115",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-8890",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8890"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file. The Internet Systems Consortium\u0027s (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. Infoblox of dns one appliance Unspecified vulnerabilities exist in products from multiple vendors.None. This issue exists in routines responsible for logging hostname options provided by DHCP clients. \nThis issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. The vulnerable code exists in previous versions of ISC DHCPD 3, but is only believed to be exploitable in these two releases. ISC DHCPD uses syslog to record each transmitted DHCP packet, client\u0027s DISCOVER and result OFFER, REQUEST and ACK, and any NAK will be recorded. middle. However, if non-ACSII or non-printable characters are provided, other checks and filters will be performed to prevent overflow. Carefully constructed and submitted data may execute arbitrary commands on the system with the rights of the DHCPD process. \n\n----------------------------------------------------------------------\n\nSecunia is proud to announce the availability of the Secunia Software\nInspector. \n\nThe Secunia Software Inspector is a free service that detects insecure\nversions of software that you may have installed in your system. When\ninsecure versions are detected, the Secunia Software Inspector also\nprovides thorough guidelines for updating the software to the latest\nsecure version from the vendor. \n\nTry it out online:\nhttp://secunia.com/software_inspector/\n\n----------------------------------------------------------------------\n\nTITLE:\nXEROX WorkCentre Products Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA23265\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/23265/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nSecurity Bypass, Manipulation of data, Exposure of system\ninformation, Exposure of sensitive information, DoS, System access\n\nWHERE:\n\u003eFrom local network\n\nOPERATING SYSTEM:\nXerox WorkCentre\nhttp://secunia.com/product/4746/\nXerox WorkCentre Pro\nhttp://secunia.com/product/4553/\n\nDESCRIPTION:\nSome vulnerabilities and weaknesses have been reported in various\nXEROX WorkCentre products, which can be exploited by malicious people\nto bypass certain security restrictions, expose certain sensitive\ninformation, cause a DoS (Denial of Service), and compromise a\nvulnerable system. \n\n1) Input passed to the TCP/IP hostname, the Scan-to-mailbox folder\nname field, and to the Microsoft Network configuration parameters in\nthe Web User interface is not properly sanitised. \n\n2) Certain browser settings may allow unauthorized access. \nAdditionally, an unspecified vulnerability in the Web User Interface\ncan be exploited to bypass the authentication. \n\n3) The TFTP/BOOTP auto configuration can be exploited to manipulate\ncertain configuration settings. \n\n4) An unspecified error within the handling of email signatures can\nbe exploited to display improper items. \n\n5) Requests to web services can be made through HTTP instead of\nHTTPS. Other unspecified HTTP security issues and a httpd.conf\nmisconfiguration are also reported. \n\n6) An error within the Scan-to-mailbox feature can be exploited to\nanonymously download secure files. Additionally, it is possible to\nanonymously download audit log files. \n\n7) The system fails to keep accurate time resulting in incorrect time\nstamps in audit logs. \n\n8) The embedded Samba version contains various vulnerabilities. \nAdditionally, the SMB \"Homes\" share is visible and it\u0027s possible to\nbrowse the file system via SMB. \n\n9) The SNMP agent does not return errors for non-writable objects. \nAdditionally, authentication failure traps can\u0027t be enabled or\ngenerated. \n\n10) An error within ops3-dmn can be exploited to crash the service\nand cause a DoS by attaching a PS script. \n\n11) It is possible to bypass the security restriction and boot\nAlchemy by e.g. using an USB thumb drive. \n\n12) The \"Validate Repository SSL Certificate\" scan feature does not\nverify the FQDN. \n\n13) Certain problems with the Immediate Image Overwrite and On Demand\nImage Overwrite, a Postgress port block, and a http TRACE XSS attack\nin the network controller are reported. \n\n14) Two boundary errors within the embedded DHCP implementation can\nbe exploited to cause a buffer overflow, which may allow execution of\narbitrary code. \n\nSOLUTION:\nApply updated software (see vendor advisories for detailed\ninstructions). \n\nPROVIDED AND/OR DISCOVERED BY:\nReported by the vendor. \n\nORIGINAL ADVISORY:\nXerox:\nhttp://www.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1b.pdf\nhttp://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n Technical Cyber Security Alert TA04-174A\n Multiple Vulnerabilities in ISC DHCP 3\n\n Original release date: June 22, 2004\n Last revised: --\n Source: US-CERT\n\nSystems Affected\n\n * ISC DHCP versions 3.0.1rc12 and 3.0.1rc13\n\nOverview\n\n Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a\n denial of the DHCP service on a vulnerable system. It may be possible\n to exploit these vulnerabilities to execute arbitrary code on the\n system. \n\nI. In transactions, ISC DHCPD logs every DHCP\n packet along with several pieces of descriptive information. The\n client\u0027s DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are\n all logged. In all of these messages, if the client supplied a\n hostname, then it is also included in the logged line. These options are concatenated by the\n server. If the hostname and options contain only ASCII characters,\n then the string will pass non-ASCII character filters and be\n temporarily stored in 1024 byte fixed-length buffers on the stack. If\n a client supplies enough hostname options, it is possible to overflow\n the fixed-length buffer. \n\n VU#654390 discusses C include files for systems that do not support\n the bounds checking vsnprintf() function. These files define the\n bounds checking vsnprintf() to the non-bounds checking vsprintf()\n function. Since vsprintf() is a function that does not check bounds,\n the size is discarded, creating the potential for a buffer overflow\n when client data is supplied. Note that the vsnprintf() statements are\n defined after the vulnerable code that is discussed in VU#317350. \n Since the preconditions for this vulnerability are similar to those\n required to exploit VU#317350, these buffer overflow conditions occur\n sequentially in the code after the buffer overflow vulnerability\n discussed in VU#317350, and these issues were discovered and resolved\n at the same time, there is no known exploit path to exploit these\n buffer overflow conditions caused by VU#654390. Note that VU#654390\n was discovered and exploitable once VU#317350 was resolved. VU#317350 is exploitable for\n all operating systems and configurations. VU#654390 is only defined\n for the following operating systems:\n\n * AIX\n * AlphaOS\n * Cygwin32\n * HP-UX\n * Irix\n * Linux\n * NextStep\n * SCO\n * SunOS 4\n * SunOS 5.5\n * Ultrix\n\n All versions of ISC DCHP 3, including all snapshots, betas, and\n release candidates, contain the flawed code. \n\n US-CERT is tracking these issues as VU#317350, which has been assigned\n CVE CAN-2004-0460, and VU#654390, which has been assigned CVE\n CAN-2004-0461. \n\nII. \n\nIII. Solution\n\n Apply patches or upgrade\n\n These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may\n provide specific patches or updates. For vendor-specific information,\n please see your vendor\u0027s site, or look for your vendor infomation in\n VU#317350 and VU#654390. As vendors report new information to US-CERT,\n we will update the vulnerability notes. \n\nAppendix B. References\n\n * http://www.isc.org/sw/dhcp/\n * http://www.kb.cert.org/vuls/id/317350\n * http://www.kb.cert.org/vuls/id/654390\n _________________________________________________________________\n\n US-CERT thanks Gregory Duchemin and Solar Designer for discovering,\n reporting, and resolving this vulnerability. Thanks also to David\n Hankins of ISC for notifying us of this vulnerability and the\n technical information provided to create this document. \n _________________________________________________________________\n\n Feedback can be directed to the author: Jason A. Rafail\n _________________________________________________________________\n\n The latest version of this document can be found at:\n \n \u003chttp://www.us-cert.gov/cas/techalerts/TA04-174A.html\u003e\n _________________________________________________________________\n \n Copyright 2004 Carnegie Mellon University. \n \n Terms of use:\n \n \u003chttp://www.us-cert.gov/legal.html\u003e\n \n _________________________________________________________________\n\n Revision History\n\n June 22, 2004: Initial release\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niD8DBQFA2HFSXlvNRxAkFWARArH4AKDtUECQTE5HXmvsDQkwcWn9r7uAowCdGTHq\nAqWt3CgdEPJcIFDbJlIWQHo=\n=HSxN\n-----END PGP SIGNATURE-----\n. \nThis mail also includes a trace of such DHCP REQUEST. \n\nOther .bss overflows related to vsnprintf and identified later during \nour investigations as described in:\nhttp://www.kb.cert.org/vuls/id/654390\ncan be triggered the exact same way. \nNote that the home made tool i am referencing in this email will be made \navailable very soon and already includes ISC, INFOBLOX and DLINK dhcp \nvulnerabilities\nI will drop a note here when it is finally released. \ncheers,\nGregory\n\nSpecial thanks to Solar Designer and David W.Hankins (ISC)\n\n\n--- Original email ------\n\nSummary:\n\ni have discovered several stack based overflow in your dhcp-3.0.1rc12 \nand rc13 (may be others, have not checked)\nthese vulnerabilities can be easily triggered by crafting a dhcp \ndiscover or request packet which carries several hostname dhcp options that\n,once reassembled by the daemon (as explained in rfc 3396), overflow a \nstack based variable causing the daemon to crash. \nI believe than one might execute code remotely on the server with the \nsame user account dhcpd is running with, root in most cases. \nI have been able at some points during the tests, to control eip\u0027 4 \nbytes (intel 32bits arch), it was during the ddns forward update operation. \nNote that all tests have been made on a linux 2.4.20-24.9 using a home \nmade tool to generate custom dhcp traffic\n\nNow an example:\n\nsee dhcpd.conf in attachment if you need it. \n\nstructure of an offending packet (case of a dhcp request based attack)\n\n \u003e\u003e DHCP request\n \u003e\u003e from 0.0.0.0:68 (ff:ff:ff:ff:ff:ff) to 255.255.255.255:67 \n(ff:ff:ff:ff:ff:ff)\n\n \u003e\u003e op : BOOT REQUEST (1)\n \u003e\u003e htype : Ethernet (10Mb) (1)\n \u003e\u003e hlen : 6\n \u003e\u003e hops : 0\n \u003e\u003e xid : 0x00000000\n \u003e\u003e secs : 1\n \u003e\u003e flags : UNICAST (0x0000)\n \u003e\u003e ciaddr : 0.0.0.0\n \u003e\u003e yiaddr : 0.0.0.0\n \u003e\u003e siaddr : 255.255.255.255\n \u003e\u003e giaddr : 0.0.0.0\n \u003e\u003e chaddr : ff:ff:ff:ff:ff:ff\n \u003e\u003e sname :\n \u003e\u003e file :\n \u003e\u003e cookie : 0x63825363 (RFC 1497/2132, BOOTP Vendor informations/DHCP \noptions)\n \u003e\u003e DHCP option (053 [0x35]) : MESSAGE_TYPE : REQUEST\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e DHCP option (050 [0x32]) : REQUEST_IP : 192.168.0.99\n \nsending this packet to the ptraced daemon (within gdb) gives:\n\n(gdb) run -f -d\nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y\nStarting program: /usr/sbin/dhcpd -f -d\nInternet Software Consortium DHCP Server V3.0.1rc13\nCopyright 1995-2003 Internet Software Consortium. \nAll rights reserved. \nFor info, please visit http://www.isc.org/products/DHCP\nWrote 0 deleted host decls to leases file. \nWrote 0 new dynamic host decls to leases file. \nWrote 0 leases to leases file. \nListening on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24\nSending on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24\nSending on Socket/fallback/fallback-net\nUnable to add forward map from \nbobAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-1022AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8 \n860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-284AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1. \n92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X \n1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1. \n\nProgram received signal SIGSEGV, Segmentation fault. \n0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, \nname=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at hash.c:363\n363 hashno = (*table -\u003e do_hash) (name, len, table -\u003e \nhash_count);\n(gdb)\n \n\nbacktracing stack show:\n\n(gdb) bt\n#0 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, \nname=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at hash.c:363\n#1 0x0806fb0a in lease_hash_lookup (ptr=0xbfffde24, table=0x38322d50, \nbuf=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at mdb.c:2055\n#2 0x0806eb5b in find_lease_by_hw_addr (lp=0xbfffde24, hwaddr=0x8149dac \n\"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", hwlen=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at mdb.c:1574\n#3 0x0806ee5f in hw_hash_add (lease=0x8149d30) at mdb.c:1661\n#4 0x0806d959 in supersede_lease (comp=0x8149d30, lease=0x811def8, \ncommit=1, propogate=1, pimmediate=1) at mdb.c:969\n#5 0x08050cb9 in ack_lease (packet=0x811d6e0, lease=0x8149d30, offer=5, \nwhen=0,\n msg=0xbfffdfd0 \"DHCPREQUEST for 192.168.0.99 from ff:ff:ff:ff:ff:ff \nvia eth0\", ms_nulltp=0) at dhcp.c:2227\n#6 0x0804d041 in dhcprequest (packet=0x811d6e0, ms_nulltp=0, \nip_lease=0x0) at dhcp.c:662\n#7 0x0804c37d in dhcp (packet=0x811d6e0) at dhcp.c:224\n#8 0x08088d9a in do_packet (interface=0x811d568, packet=0xbfffe580, \nlen=1430, from_port=17408, from=\n {len = 4, iabuf = \u0027\\0\u0027 \u003crepeats 15 times\u003e}, hfrom=0xbffff5b0) at \noptions.c:2237\n#9 0x08096718 in got_one (h=0x811d568) at discover.c:785\n#10 0x080a937e in omapi_one_dispatch (wo=0x0, t=0x0) at dispatch.c:418\n#11 0x0807cce3 in dispatch () at dispatch.c:103\n#12 0x0804add1 in main (argc=3, argv=0xbffff904, envp=0xbffff914) at \ndhcpd.c:614\n#13 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6\n(gdb)\n\nNote that the daemon may actually crash at a different location \ndepending of the first corrupted structure it meets and therefore,\nof the size of the malicious option sent, along with the context (type \nof packet, leases in use etc...)\n\n\nProblems in the source:\nI have spent quite some time to find out where the overflow actually \ntakes its roots, here are my findings:\n\nfile server/dhcp.c:\nfunction dhcprequest :\n\n char msgbuf [1024]; /* XXX */\n char *s;\n\n.... \n\n if (lease \u0026\u0026 lease -\u003e client_hostname \u0026\u0026\n db_printable (lease -\u003e client_hostname))\n s = lease -\u003e client_hostname;\n else\n s = (char *)0;\n\n\n...... \n\n sprintf (msgbuf, \"DHCPREQUEST for %s%s from %s %s%s%svia %s\",\n piaddr (cip), smbuf,\n (packet -\u003e raw -\u003e htype\n ? print_hw_addr (packet -\u003e raw -\u003e htype,\n packet -\u003e raw -\u003e hlen,\n packet -\u003e raw -\u003e chaddr)\n : (lease\n ? print_hex_1 (lease -\u003e uid_len, lease -\u003e uid,\n lease -\u003e uid_len)\n : \"\u003cno identifier\u003e\")),\n s ? \"(\" : \"\", s ? s : \"\", s ? \") \" : \"\",\n packet -\u003e raw -\u003e giaddr.s_addr\n ? inet_ntoa (packet -\u003e raw -\u003e giaddr)\n : packet -\u003e interface -\u003e name);\n\n\nTo summarize, s is referencing the reassembled hostname option passed to \nthe daemon, afterwhat it is used as is in sprintf and stored in msgbuf \n(fixed size) without any length checking. \nlocal msgbuf can obviously be overrun, corrupting various structures in \nstack and eventually causing the server to crash\nNote that the call to db_printable( ), filtering hostname, may render \nthe task harder to root a server but likely not impossible. \nAlso being able to corrupt structures like *lease or *oc may have \ninteresting side effects from an attacker perspective. \n\nvoid dhcprequest (packet, ms_nulltp, ip_lease)\n struct packet *packet;\n int ms_nulltp;\n struct lease *ip_lease;\n{\n struct lease *lease;\n struct iaddr cip;\n struct iaddr sip;\n struct subnet *subnet;\n int ours = 0;\n struct option_cache *oc;\n struct data_string data;\n int status;\n char msgbuf [1024]; /* XXX */\n char *s;\n char smbuf [19];\n\n.... \n\nthe very same problem is present in dhcpdiscover( ), dhcpdecline( ), \ndhcprequest( ) , dhcprelease( ), ... \nplease look at the diff in unified format, attached to this email, for a \ndetailed list",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0460"
},
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "BID",
"id": "10590"
},
{
"db": "VULHUB",
"id": "VHN-8890"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
}
],
"trust": 3.69
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2004-0460",
"trust": 3.6
},
{
"db": "CERT/CC",
"id": "VU#317350",
"trust": 3.5
},
{
"db": "USCERT",
"id": "TA04-174A",
"trust": 2.9
},
{
"db": "BID",
"id": "10590",
"trust": 2.8
},
{
"db": "SECUNIA",
"id": "23265",
"trust": 2.6
},
{
"db": "CERT/CC",
"id": "VU#654390",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115",
"trust": 0.7
},
{
"db": "XF",
"id": "16475",
"trust": 0.6
},
{
"db": "SUSE",
"id": "SUSE-SA:2004:019",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040708 [OPENPKG-SA-2004.031] OPENPKG SECURITY ADVISORY (DHCPD)",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040622 DHCP VULN // NO CODE 0DAY //",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040628 ISC DHCP OVERFLOWS",
"trust": 0.6
},
{
"db": "CERT/CC",
"id": "TA04-174A",
"trust": 0.6
},
{
"db": "MANDRAKE",
"id": "MDKSA-2004:061",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-8890",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "52810",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33622",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33664",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8890"
},
{
"db": "BID",
"id": "10590"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"id": "VAR-200408-0174",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-8890"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-03T22:09:54.156000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "others (CWE-Other) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-174a.html"
},
{
"trust": 2.7,
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/10590"
},
{
"trust": 2.5,
"url": "http://www.mandriva.com/security/advisories?name=mdksa-2004:061"
},
{
"trust": 2.5,
"url": "http://secunia.com/advisories/23265"
},
{
"trust": 1.9,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"trust": 1.8,
"url": "http://www.xerox.com/downloads/usa/en/c/cert_xrx06_004_v11.pdf"
},
{
"trust": 1.8,
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"trust": 1.8,
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
},
{
"trust": 1.8,
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"trust": 1.7,
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"trust": 1.6,
"url": "about vulnerability notes"
},
{
"trust": 1.6,
"url": "contact us about this vulnerability"
},
{
"trust": 1.6,
"url": "provide a vendor statement"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2004-0460"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/16475"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108843959502356\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"trust": 0.3,
"url": "http://support.coresecurity.com/impact/exploits/8f4e6176d27fbcb31ba85ebb4652ccaa.html"
},
{
"trust": 0.3,
"url": "http://www.mandrakesoft.com/security/advisories?name=mdksa-2004:061"
},
{
"trust": 0.3,
"url": "/archive/1/367286"
},
{
"trust": 0.2,
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108795911203342\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108843959502356\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108938625206063\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://www.xerox.com/downloads/usa/en/c/cert_xrx06_006_v1b.pdf"
},
{
"trust": 0.1,
"url": "http://secunia.com/software_inspector/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/23265/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4746/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4553/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-174a.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/legal.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.isc.org/sw/dhcp/"
},
{
"trust": 0.1,
"url": "http://www.isc.org/products/dhcp"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8890"
},
{
"db": "BID",
"id": "10590"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8890"
},
{
"db": "BID",
"id": "10590"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-06-22T00:00:00",
"db": "CERT/CC",
"id": "VU#317350"
},
{
"date": "2004-06-22T00:00:00",
"db": "CERT/CC",
"id": "VU#654390"
},
{
"date": "2004-08-06T00:00:00",
"db": "VULHUB",
"id": "VHN-8890"
},
{
"date": "2004-06-22T00:00:00",
"db": "BID",
"id": "10590"
},
{
"date": "2024-06-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"date": "2006-12-07T06:24:29",
"db": "PACKETSTORM",
"id": "52810"
},
{
"date": "2004-06-22T23:37:13",
"db": "PACKETSTORM",
"id": "33622"
},
{
"date": "2004-06-28T00:42:00",
"db": "PACKETSTORM",
"id": "33664"
},
{
"date": "2004-06-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"date": "2004-08-06T04:00:00",
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-07-13T00:00:00",
"db": "CERT/CC",
"id": "VU#317350"
},
{
"date": "2004-07-21T00:00:00",
"db": "CERT/CC",
"id": "VU#654390"
},
{
"date": "2017-07-11T00:00:00",
"db": "VULHUB",
"id": "VHN-8890"
},
{
"date": "2009-07-12T05:16:00",
"db": "BID",
"id": "10590"
},
{
"date": "2024-06-04T08:54:00",
"db": "JVNDB",
"id": "JVNDB-2004-000898"
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-115"
},
{
"date": "2025-04-03T01:03:51.193000",
"db": "NVD",
"id": "CVE-2004-0460"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ISC DHCP contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only",
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "10590"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-115"
}
],
"trust": 0.9
}
}
VAR-200408-0175
Vulnerability from variot - Updated: 2025-04-03 22:09The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. As a result, you may gain administrative privileges on vulnerable systems. On systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as:
define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
This definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call. Other locations in DHCPD utilizing this function may be exploitable. This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. ISC DHCP calls vsnprintf() to write format log file strings.
Secunia is proud to announce the availability of the Secunia Software Inspector.
The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor.
Try it out online: http://secunia.com/software_inspector/
TITLE: XEROX WorkCentre Products Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA23265
VERIFY ADVISORY: http://secunia.com/advisories/23265/
CRITICAL: Moderately critical
IMPACT: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
WHERE:
From local network
OPERATING SYSTEM: Xerox WorkCentre http://secunia.com/product/4746/ Xerox WorkCentre Pro http://secunia.com/product/4553/
DESCRIPTION: Some vulnerabilities and weaknesses have been reported in various XEROX WorkCentre products, which can be exploited by malicious people to bypass certain security restrictions, expose certain sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.
1) Input passed to the TCP/IP hostname, the Scan-to-mailbox folder name field, and to the Microsoft Network configuration parameters in the Web User interface is not properly sanitised.
2) Certain browser settings may allow unauthorized access. Additionally, an unspecified vulnerability in the Web User Interface can be exploited to bypass the authentication.
3) The TFTP/BOOTP auto configuration can be exploited to manipulate certain configuration settings.
4) An unspecified error within the handling of email signatures can be exploited to display improper items.
5) Requests to web services can be made through HTTP instead of HTTPS. Other unspecified HTTP security issues and a httpd.conf misconfiguration are also reported.
6) An error within the Scan-to-mailbox feature can be exploited to anonymously download secure files. Additionally, it is possible to anonymously download audit log files.
7) The system fails to keep accurate time resulting in incorrect time stamps in audit logs.
8) The embedded Samba version contains various vulnerabilities. Additionally, the SMB "Homes" share is visible and it's possible to browse the file system via SMB.
9) The SNMP agent does not return errors for non-writable objects. Additionally, authentication failure traps can't be enabled or generated.
10) An error within ops3-dmn can be exploited to crash the service and cause a DoS by attaching a PS script.
11) It is possible to bypass the security restriction and boot Alchemy by e.g. using an USB thumb drive.
12) The "Validate Repository SSL Certificate" scan feature does not verify the FQDN.
13) Certain problems with the Immediate Image Overwrite and On Demand Image Overwrite, a Postgress port block, and a http TRACE XSS attack in the network controller are reported.
14) Two boundary errors within the embedded DHCP implementation can be exploited to cause a buffer overflow, which may allow execution of arbitrary code.
SOLUTION: Apply updated software (see vendor advisories for detailed instructions).
PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
ORIGINAL ADVISORY: Xerox: http://www.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1b.pdf http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Technical Cyber Security Alert TA04-174A
Multiple Vulnerabilities in ISC DHCP 3
Original release date: June 22, 2004 Last revised: -- Source: US-CERT
Systems Affected
* ISC DHCP versions 3.0.1rc12 and 3.0.1rc13
Overview
Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a denial of the DHCP service on a vulnerable system. It may be possible to exploit these vulnerabilities to execute arbitrary code on the system.
I.
VU#317350 discusses a buffer overflow vulnerability in the temporary storage of log lines. In transactions, ISC DHCPD logs every DHCP packet along with several pieces of descriptive information. The client's DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are all logged. In all of these messages, if the client supplied a hostname, then it is also included in the logged line. As part of the DHCP datagram format, a client may specify multiple hostname options, up to 255 bytes per option. These options are concatenated by the server. If the hostname and options contain only ASCII characters, then the string will pass non-ASCII character filters and be temporarily stored in 1024 byte fixed-length buffers on the stack. If a client supplies enough hostname options, it is possible to overflow the fixed-length buffer.
VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. Since the preconditions for this vulnerability are similar to those required to exploit VU#317350, these buffer overflow conditions occur sequentially in the code after the buffer overflow vulnerability discussed in VU#317350, and these issues were discovered and resolved at the same time, there is no known exploit path to exploit these buffer overflow conditions caused by VU#654390. Note that VU#654390 was discovered and exploitable once VU#317350 was resolved.
For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for all operating systems and configurations. VU#654390 is only defined for the following operating systems:
* AIX
* AlphaOS
* Cygwin32
* HP-UX
* Irix
* Linux
* NextStep
* SCO
* SunOS 4
* SunOS 5.5
* Ultrix
All versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code.
US-CERT is tracking these issues as VU#317350, which has been assigned CVE CAN-2004-0460, and VU#654390, which has been assigned CVE CAN-2004-0461.
II.
III. Solution
Apply patches or upgrade
These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may provide specific patches or updates. For vendor-specific information, please see your vendor's site, or look for your vendor infomation in VU#317350 and VU#654390. As vendors report new information to US-CERT, we will update the vulnerability notes.
Appendix B. References
* http://www.isc.org/sw/dhcp/
* http://www.kb.cert.org/vuls/id/317350
* http://www.kb.cert.org/vuls/id/654390
US-CERT thanks Gregory Duchemin and Solar Designer for discovering, reporting, and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.
Feedback can be directed to the author: Jason A. Rafail
The latest version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-174A.html>
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
Revision History
June 22, 2004: Initial release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFA2HFSXlvNRxAkFWARArH4AKDtUECQTE5HXmvsDQkwcWn9r7uAowCdGTHq AqWt3CgdEPJcIFDbJlIWQHo= =HSxN -----END PGP SIGNATURE----- . Hi, for those interested to reproduce the recent DOS attacks against ISC DHCPD 3.0.1 rc12 and rc13 as described in: http://www.kb.cert.org/vuls/id/317350 , i'm forwarding the first email i sent to ISC describing several stack based buffer overflows occuring during the creation of log messages and triggered by sending several DHCP HOSTNAME options within a single request. This mail also includes a trace of such DHCP REQUEST.
Other .bss overflows related to vsnprintf and identified later during our investigations as described in: http://www.kb.cert.org/vuls/id/654390 can be triggered the exact same way. Note that the home made tool i am referencing in this email will be made available very soon and already includes ISC, INFOBLOX and DLINK dhcp vulnerabilities I will drop a note here when it is finally released. cheers, Gregory
Special thanks to Solar Designer and David W.Hankins (ISC)
--- Original email ------
Summary:
i have discovered several stack based overflow in your dhcp-3.0.1rc12 and rc13 (may be others, have not checked) these vulnerabilities can be easily triggered by crafting a dhcp discover or request packet which carries several hostname dhcp options that ,once reassembled by the daemon (as explained in rfc 3396), overflow a stack based variable causing the daemon to crash. I believe than one might execute code remotely on the server with the same user account dhcpd is running with, root in most cases. I have been able at some points during the tests, to control eip' 4 bytes (intel 32bits arch), it was during the ddns forward update operation. Note that all tests have been made on a linux 2.4.20-24.9 using a home made tool to generate custom dhcp traffic
Now an example:
see dhcpd.conf in attachment if you need it.
structure of an offending packet (case of a dhcp request based attack)
DHCP request from 0.0.0.0:68 (ff:ff:ff:ff:ff:ff) to 255.255.255.255:67 (ff:ff:ff:ff:ff:ff)
op : BOOT REQUEST (1) htype : Ethernet (10Mb) (1) hlen : 6 hops : 0 xid : 0x00000000 secs : 1 flags : UNICAST (0x0000) ciaddr : 0.0.0.0 yiaddr : 0.0.0.0 siaddr : 255.255.255.255 giaddr : 0.0.0.0 chaddr : ff:ff:ff:ff:ff:ff sname : file : cookie : 0x63825363 (RFC 1497/2132, BOOTP Vendor informations/DHCP options) DHCP option (053 [0x35]) : MESSAGE_TYPE : REQUEST BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BOOTP option (012 [0x0c]) : HOSTNAME : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA DHCP option (050 [0x32]) : REQUEST_IP : 192.168.0.99
sending this packet to the ptraced daemon (within gdb) gives:
(gdb) run -f -d The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/sbin/dhcpd -f -d Internet Software Consortium DHCP Server V3.0.1rc13 Copyright 1995-2003 Internet Software Consortium. All rights reserved. For info, please visit http://www.isc.org/products/DHCP Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 0 leases to leases file. Listening on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24 Sending on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24 Sending on Socket/fallback/fallback-net Unable to add forward map from bobAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-1022AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8 860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-284AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1. 92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X 1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.
Program received signal SIGSEGV, Segmentation fault. 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, name=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at hash.c:363 363 hashno = (*table -> do_hash) (name, len, table -> hash_count); (gdb)
backtracing stack show:
(gdb) bt
0 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50,
name=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at hash.c:363
1 0x0806fb0a in lease_hash_lookup (ptr=0xbfffde24, table=0x38322d50,
buf=0x8149dac "\001\xff\xff\xff\xff\xff\xff", len=7, file=0x80bbe25 "mdb.c", line=1662) at mdb.c:2055
2 0x0806eb5b in find_lease_by_hw_addr (lp=0xbfffde24, hwaddr=0x8149dac
"\001\xff\xff\xff\xff\xff\xff", hwlen=7, file=0x80bbe25 "mdb.c", line=1662) at mdb.c:1574
3 0x0806ee5f in hw_hash_add (lease=0x8149d30) at mdb.c:1661
4 0x0806d959 in supersede_lease (comp=0x8149d30, lease=0x811def8,
commit=1, propogate=1, pimmediate=1) at mdb.c:969
5 0x08050cb9 in ack_lease (packet=0x811d6e0, lease=0x8149d30, offer=5,
when=0, msg=0xbfffdfd0 "DHCPREQUEST for 192.168.0.99 from ff:ff:ff:ff:ff:ff via eth0", ms_nulltp=0) at dhcp.c:2227
6 0x0804d041 in dhcprequest (packet=0x811d6e0, ms_nulltp=0,
ip_lease=0x0) at dhcp.c:662
7 0x0804c37d in dhcp (packet=0x811d6e0) at dhcp.c:224
8 0x08088d9a in do_packet (interface=0x811d568, packet=0xbfffe580,
len=1430, from_port=17408, from= {len = 4, iabuf = '\0' }, hfrom=0xbffff5b0) at options.c:2237
9 0x08096718 in got_one (h=0x811d568) at discover.c:785
10 0x080a937e in omapi_one_dispatch (wo=0x0, t=0x0) at dispatch.c:418
11 0x0807cce3 in dispatch () at dispatch.c:103
12 0x0804add1 in main (argc=3, argv=0xbffff904, envp=0xbffff914) at
dhcpd.c:614
13 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
(gdb)
Note that the daemon may actually crash at a different location depending of the first corrupted structure it meets and therefore, of the size of the malicious option sent, along with the context (type of packet, leases in use etc...)
Problems in the source: I have spent quite some time to find out where the overflow actually takes its roots, here are my findings:
file server/dhcp.c: function dhcprequest :
char msgbuf [1024]; /* XXX */
char *s;
....
if (lease && lease -> client_hostname && db_printable (lease -> client_hostname)) s = lease -> client_hostname; else s = (char *)0;
......
sprintf (msgbuf, "DHCPREQUEST for %s%s from %s %s%s%svia %s", piaddr (cip), smbuf, (packet -> raw -> htype ? print_hw_addr (packet -> raw -> htype, packet -> raw -> hlen, packet -> raw -> chaddr) : (lease ? print_hex_1 (lease -> uid_len, lease -> uid, lease -> uid_len) : "")), s ? "(" : "", s ? s : "", s ? ") " : "", packet -> raw -> giaddr.s_addr ? inet_ntoa (packet -> raw -> giaddr) : packet -> interface -> name);
To summarize, s is referencing the reassembled hostname option passed to the daemon, afterwhat it is used as is in sprintf and stored in msgbuf (fixed size) without any length checking. local msgbuf can obviously be overrun, corrupting various structures in stack and eventually causing the server to crash Note that the call to db_printable( ), filtering hostname, may render the task harder to root a server but likely not impossible. Also being able to corrupt structures like lease or oc may have interesting side effects from an attacker perspective.
void dhcprequest (packet, ms_nulltp, ip_lease) struct packet packet; int ms_nulltp; struct lease ip_lease; { struct lease lease; struct iaddr cip; struct iaddr sip; struct subnet subnet; int ours = 0; struct option_cache oc; struct data_string data; int status; char msgbuf [1024]; / XXX / char s; char smbuf [19];
....
the very same problem is present in dhcpdiscover( ), dhcpdecline( ),
dhcprequest( ) , dhcprelease( ), ...
please look at the diff in unified format, attached to this email, for a
detailed list
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200408-0175",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "fedora",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "infoblox",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "mandrakesoft",
"version": null
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "suse",
"version": null
},
{
"model": "fedora core",
"scope": "eq",
"trust": 1.6,
"vendor": "redhat",
"version": "core_2.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "suse",
"version": "8.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "suse",
"version": "8.0"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "9.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "9.0"
},
{
"model": "linux firewall cd",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.4.0.8"
},
{
"model": "linux connectivity server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "10.0"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.3.1_r5"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "8.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "9.1"
},
{
"model": "linux database server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "9.2"
},
{
"model": "dhcpd",
"scope": "eq",
"trust": 1.0,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "infoblox",
"version": "2.4.0.8a"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "9.0"
},
{
"model": "linux admin-cd for firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": "email server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "iii"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "8"
},
{
"model": "linux office server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "*"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "isc",
"version": null
},
{
"model": "dhcp",
"scope": "eq",
"trust": 0.8,
"vendor": "isc",
"version": "3.0.1rc12"
},
{
"model": "dhcp",
"scope": "eq",
"trust": 0.8,
"vendor": "isc",
"version": "3.0.1rc13"
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "8"
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "7"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "8.0"
},
{
"model": "suse email server iii",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.1"
},
{
"model": "linux personal x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "8.2"
},
{
"model": "linux office server",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux firewall on cd",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux database server",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "0"
},
{
"model": "linux connectivity server",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "linux admin-cd for firewall",
"scope": null,
"trust": 0.3,
"vendor": "s u s e",
"version": null
},
{
"model": "fedora core2",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "linux mandrake amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "10.0"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "10.0"
},
{
"model": "linux mandrake amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.2"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.2"
},
{
"model": "linux mandrake ppc",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "9.0"
},
{
"model": "dhcpd rc13",
"scope": "eq",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dhcpd rc12",
"scope": "eq",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
},
{
"model": "dns one appliance .0-8a",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.4"
},
{
"model": "dns one appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.4.0-8"
},
{
"model": "dns one appliance -r5",
"scope": "eq",
"trust": 0.3,
"vendor": "infoblox",
"version": "2.3.1"
},
{
"model": "dhcpd rc14",
"scope": "ne",
"trust": 0.3,
"vendor": "isc",
"version": "3.0.1"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:isc:dhcp",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gregory Duchemin\u203b c3rb3r@hotmail.com\u203bSolar Designer\u203b solar@openwall.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
],
"trust": 0.6
},
"cve": "CVE-2004-0461",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2004-0461",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-8891",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2004-0461",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#317350",
"trust": 0.8,
"value": "25.52"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#654390",
"trust": 0.8,
"value": "14.21"
},
{
"author": "NVD",
"id": "CVE-2004-0461",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200408-117",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-8891",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. The Internet Systems Consortium\u0027s (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a buffer overflow vulnerability. As a result, you may gain administrative privileges on vulnerable systems. \nOn systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as:\n#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)\nThis definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call. \nOther locations in DHCPD utilizing this function may be exploitable. \nThis issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. ISC DHCP calls vsnprintf() to write format log file strings. \n\n----------------------------------------------------------------------\n\nSecunia is proud to announce the availability of the Secunia Software\nInspector. \n\nThe Secunia Software Inspector is a free service that detects insecure\nversions of software that you may have installed in your system. When\ninsecure versions are detected, the Secunia Software Inspector also\nprovides thorough guidelines for updating the software to the latest\nsecure version from the vendor. \n\nTry it out online:\nhttp://secunia.com/software_inspector/\n\n----------------------------------------------------------------------\n\nTITLE:\nXEROX WorkCentre Products Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA23265\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/23265/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nSecurity Bypass, Manipulation of data, Exposure of system\ninformation, Exposure of sensitive information, DoS, System access\n\nWHERE:\n\u003eFrom local network\n\nOPERATING SYSTEM:\nXerox WorkCentre\nhttp://secunia.com/product/4746/\nXerox WorkCentre Pro\nhttp://secunia.com/product/4553/\n\nDESCRIPTION:\nSome vulnerabilities and weaknesses have been reported in various\nXEROX WorkCentre products, which can be exploited by malicious people\nto bypass certain security restrictions, expose certain sensitive\ninformation, cause a DoS (Denial of Service), and compromise a\nvulnerable system. \n\n1) Input passed to the TCP/IP hostname, the Scan-to-mailbox folder\nname field, and to the Microsoft Network configuration parameters in\nthe Web User interface is not properly sanitised. \n\n2) Certain browser settings may allow unauthorized access. \nAdditionally, an unspecified vulnerability in the Web User Interface\ncan be exploited to bypass the authentication. \n\n3) The TFTP/BOOTP auto configuration can be exploited to manipulate\ncertain configuration settings. \n\n4) An unspecified error within the handling of email signatures can\nbe exploited to display improper items. \n\n5) Requests to web services can be made through HTTP instead of\nHTTPS. Other unspecified HTTP security issues and a httpd.conf\nmisconfiguration are also reported. \n\n6) An error within the Scan-to-mailbox feature can be exploited to\nanonymously download secure files. Additionally, it is possible to\nanonymously download audit log files. \n\n7) The system fails to keep accurate time resulting in incorrect time\nstamps in audit logs. \n\n8) The embedded Samba version contains various vulnerabilities. \nAdditionally, the SMB \"Homes\" share is visible and it\u0027s possible to\nbrowse the file system via SMB. \n\n9) The SNMP agent does not return errors for non-writable objects. \nAdditionally, authentication failure traps can\u0027t be enabled or\ngenerated. \n\n10) An error within ops3-dmn can be exploited to crash the service\nand cause a DoS by attaching a PS script. \n\n11) It is possible to bypass the security restriction and boot\nAlchemy by e.g. using an USB thumb drive. \n\n12) The \"Validate Repository SSL Certificate\" scan feature does not\nverify the FQDN. \n\n13) Certain problems with the Immediate Image Overwrite and On Demand\nImage Overwrite, a Postgress port block, and a http TRACE XSS attack\nin the network controller are reported. \n\n14) Two boundary errors within the embedded DHCP implementation can\nbe exploited to cause a buffer overflow, which may allow execution of\narbitrary code. \n\nSOLUTION:\nApply updated software (see vendor advisories for detailed\ninstructions). \n\nPROVIDED AND/OR DISCOVERED BY:\nReported by the vendor. \n\nORIGINAL ADVISORY:\nXerox:\nhttp://www.xerox.com/downloads/usa/en/c/cert_XRX06_006_v1b.pdf\nhttp://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n Technical Cyber Security Alert TA04-174A\n Multiple Vulnerabilities in ISC DHCP 3\n\n Original release date: June 22, 2004\n Last revised: --\n Source: US-CERT\n\nSystems Affected\n\n * ISC DHCP versions 3.0.1rc12 and 3.0.1rc13\n\nOverview\n\n Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a\n denial of the DHCP service on a vulnerable system. It may be possible\n to exploit these vulnerabilities to execute arbitrary code on the\n system. \n\nI. \n\n VU#317350 discusses a buffer overflow vulnerability in the temporary\n storage of log lines. In transactions, ISC DHCPD logs every DHCP\n packet along with several pieces of descriptive information. The\n client\u0027s DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are\n all logged. In all of these messages, if the client supplied a\n hostname, then it is also included in the logged line. As part of the\n DHCP datagram format, a client may specify multiple hostname options,\n up to 255 bytes per option. These options are concatenated by the\n server. If the hostname and options contain only ASCII characters,\n then the string will pass non-ASCII character filters and be\n temporarily stored in 1024 byte fixed-length buffers on the stack. If\n a client supplies enough hostname options, it is possible to overflow\n the fixed-length buffer. \n\n VU#654390 discusses C include files for systems that do not support\n the bounds checking vsnprintf() function. These files define the\n bounds checking vsnprintf() to the non-bounds checking vsprintf()\n function. Since vsprintf() is a function that does not check bounds,\n the size is discarded, creating the potential for a buffer overflow\n when client data is supplied. Note that the vsnprintf() statements are\n defined after the vulnerable code that is discussed in VU#317350. \n Since the preconditions for this vulnerability are similar to those\n required to exploit VU#317350, these buffer overflow conditions occur\n sequentially in the code after the buffer overflow vulnerability\n discussed in VU#317350, and these issues were discovered and resolved\n at the same time, there is no known exploit path to exploit these\n buffer overflow conditions caused by VU#654390. Note that VU#654390\n was discovered and exploitable once VU#317350 was resolved. \n\n For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP\n 3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for\n all operating systems and configurations. VU#654390 is only defined\n for the following operating systems:\n\n * AIX\n * AlphaOS\n * Cygwin32\n * HP-UX\n * Irix\n * Linux\n * NextStep\n * SCO\n * SunOS 4\n * SunOS 5.5\n * Ultrix\n\n All versions of ISC DCHP 3, including all snapshots, betas, and\n release candidates, contain the flawed code. \n\n US-CERT is tracking these issues as VU#317350, which has been assigned\n CVE CAN-2004-0460, and VU#654390, which has been assigned CVE\n CAN-2004-0461. \n\nII. \n\nIII. Solution\n\n Apply patches or upgrade\n\n These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may\n provide specific patches or updates. For vendor-specific information,\n please see your vendor\u0027s site, or look for your vendor infomation in\n VU#317350 and VU#654390. As vendors report new information to US-CERT,\n we will update the vulnerability notes. \n\nAppendix B. References\n\n * http://www.isc.org/sw/dhcp/\n * http://www.kb.cert.org/vuls/id/317350\n * http://www.kb.cert.org/vuls/id/654390\n _________________________________________________________________\n\n US-CERT thanks Gregory Duchemin and Solar Designer for discovering,\n reporting, and resolving this vulnerability. Thanks also to David\n Hankins of ISC for notifying us of this vulnerability and the\n technical information provided to create this document. \n _________________________________________________________________\n\n Feedback can be directed to the author: Jason A. Rafail\n _________________________________________________________________\n\n The latest version of this document can be found at:\n \n \u003chttp://www.us-cert.gov/cas/techalerts/TA04-174A.html\u003e\n _________________________________________________________________\n \n Copyright 2004 Carnegie Mellon University. \n \n Terms of use:\n \n \u003chttp://www.us-cert.gov/legal.html\u003e\n \n _________________________________________________________________\n\n Revision History\n\n June 22, 2004: Initial release\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niD8DBQFA2HFSXlvNRxAkFWARArH4AKDtUECQTE5HXmvsDQkwcWn9r7uAowCdGTHq\nAqWt3CgdEPJcIFDbJlIWQHo=\n=HSxN\n-----END PGP SIGNATURE-----\n. Hi,\nfor those interested to reproduce the recent DOS attacks against ISC \nDHCPD 3.0.1 rc12 and rc13\nas described in:\nhttp://www.kb.cert.org/vuls/id/317350\n, i\u0027m forwarding the first email i sent to ISC describing several stack \nbased buffer overflows occuring during the creation\nof log messages and triggered by sending several DHCP HOSTNAME options \nwithin a single request. \nThis mail also includes a trace of such DHCP REQUEST. \n\nOther .bss overflows related to vsnprintf and identified later during \nour investigations as described in:\nhttp://www.kb.cert.org/vuls/id/654390\ncan be triggered the exact same way. \nNote that the home made tool i am referencing in this email will be made \navailable very soon and already includes ISC, INFOBLOX and DLINK dhcp \nvulnerabilities\nI will drop a note here when it is finally released. \ncheers,\nGregory\n\nSpecial thanks to Solar Designer and David W.Hankins (ISC)\n\n\n--- Original email ------\n\nSummary:\n\ni have discovered several stack based overflow in your dhcp-3.0.1rc12 \nand rc13 (may be others, have not checked)\nthese vulnerabilities can be easily triggered by crafting a dhcp \ndiscover or request packet which carries several hostname dhcp options that\n,once reassembled by the daemon (as explained in rfc 3396), overflow a \nstack based variable causing the daemon to crash. \nI believe than one might execute code remotely on the server with the \nsame user account dhcpd is running with, root in most cases. \nI have been able at some points during the tests, to control eip\u0027 4 \nbytes (intel 32bits arch), it was during the ddns forward update operation. \nNote that all tests have been made on a linux 2.4.20-24.9 using a home \nmade tool to generate custom dhcp traffic\n\nNow an example:\n\nsee dhcpd.conf in attachment if you need it. \n\nstructure of an offending packet (case of a dhcp request based attack)\n\n \u003e\u003e DHCP request\n \u003e\u003e from 0.0.0.0:68 (ff:ff:ff:ff:ff:ff) to 255.255.255.255:67 \n(ff:ff:ff:ff:ff:ff)\n\n \u003e\u003e op : BOOT REQUEST (1)\n \u003e\u003e htype : Ethernet (10Mb) (1)\n \u003e\u003e hlen : 6\n \u003e\u003e hops : 0\n \u003e\u003e xid : 0x00000000\n \u003e\u003e secs : 1\n \u003e\u003e flags : UNICAST (0x0000)\n \u003e\u003e ciaddr : 0.0.0.0\n \u003e\u003e yiaddr : 0.0.0.0\n \u003e\u003e siaddr : 255.255.255.255\n \u003e\u003e giaddr : 0.0.0.0\n \u003e\u003e chaddr : ff:ff:ff:ff:ff:ff\n \u003e\u003e sname :\n \u003e\u003e file :\n \u003e\u003e cookie : 0x63825363 (RFC 1497/2132, BOOTP Vendor informations/DHCP \noptions)\n \u003e\u003e DHCP option (053 [0x35]) : MESSAGE_TYPE : REQUEST\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e BOOTP option (012 [0x0c]) : HOSTNAME : \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \u003e\u003e DHCP option (050 [0x32]) : REQUEST_IP : 192.168.0.99\n \nsending this packet to the ptraced daemon (within gdb) gives:\n\n(gdb) run -f -d\nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y\nStarting program: /usr/sbin/dhcpd -f -d\nInternet Software Consortium DHCP Server V3.0.1rc13\nCopyright 1995-2003 Internet Software Consortium. \nAll rights reserved. \nFor info, please visit http://www.isc.org/products/DHCP\nWrote 0 deleted host decls to leases file. \nWrote 0 new dynamic host decls to leases file. \nWrote 0 leases to leases file. \nListening on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24\nSending on LPF/eth0/00:0d:88:b5:95:0c/192.168.0.0/24\nSending on Socket/fallback/fallback-net\nUnable to add forward map from \nbobAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-1022AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8 \n860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-284AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1. \n92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1.D8860BFFFDD5P-895NAN0X0.0000080FFFFFFP-10220X1.1E46000000003P-8940X1.23931P-2840X1.92E302E383631P-108NAN0X1.1E4600811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0X1.1DEF80811E4FP-894AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X \n1.FDE880811DEF8P+0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-0X1.FDE2008071205P+0A.zob.com.0X1. \n\nProgram received signal SIGSEGV, Segmentation fault. \n0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, \nname=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at hash.c:363\n363 hashno = (*table -\u003e do_hash) (name, len, table -\u003e \nhash_count);\n(gdb)\n \n\nbacktracing stack show:\n\n(gdb) bt\n#0 0x080add76 in hash_lookup (vp=0xbfffde24, table=0x38322d50, \nname=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at hash.c:363\n#1 0x0806fb0a in lease_hash_lookup (ptr=0xbfffde24, table=0x38322d50, \nbuf=0x8149dac \"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", len=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at mdb.c:2055\n#2 0x0806eb5b in find_lease_by_hw_addr (lp=0xbfffde24, hwaddr=0x8149dac \n\"\\001\\xff\\xff\\xff\\xff\\xff\\xff\", hwlen=7, file=0x80bbe25 \"mdb.c\", line=1662)\n at mdb.c:1574\n#3 0x0806ee5f in hw_hash_add (lease=0x8149d30) at mdb.c:1661\n#4 0x0806d959 in supersede_lease (comp=0x8149d30, lease=0x811def8, \ncommit=1, propogate=1, pimmediate=1) at mdb.c:969\n#5 0x08050cb9 in ack_lease (packet=0x811d6e0, lease=0x8149d30, offer=5, \nwhen=0,\n msg=0xbfffdfd0 \"DHCPREQUEST for 192.168.0.99 from ff:ff:ff:ff:ff:ff \nvia eth0\", ms_nulltp=0) at dhcp.c:2227\n#6 0x0804d041 in dhcprequest (packet=0x811d6e0, ms_nulltp=0, \nip_lease=0x0) at dhcp.c:662\n#7 0x0804c37d in dhcp (packet=0x811d6e0) at dhcp.c:224\n#8 0x08088d9a in do_packet (interface=0x811d568, packet=0xbfffe580, \nlen=1430, from_port=17408, from=\n {len = 4, iabuf = \u0027\\0\u0027 \u003crepeats 15 times\u003e}, hfrom=0xbffff5b0) at \noptions.c:2237\n#9 0x08096718 in got_one (h=0x811d568) at discover.c:785\n#10 0x080a937e in omapi_one_dispatch (wo=0x0, t=0x0) at dispatch.c:418\n#11 0x0807cce3 in dispatch () at dispatch.c:103\n#12 0x0804add1 in main (argc=3, argv=0xbffff904, envp=0xbffff914) at \ndhcpd.c:614\n#13 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6\n(gdb)\n\nNote that the daemon may actually crash at a different location \ndepending of the first corrupted structure it meets and therefore,\nof the size of the malicious option sent, along with the context (type \nof packet, leases in use etc...)\n\n\nProblems in the source:\nI have spent quite some time to find out where the overflow actually \ntakes its roots, here are my findings:\n\nfile server/dhcp.c:\nfunction dhcprequest :\n\n char msgbuf [1024]; /* XXX */\n char *s;\n\n.... \n\n if (lease \u0026\u0026 lease -\u003e client_hostname \u0026\u0026\n db_printable (lease -\u003e client_hostname))\n s = lease -\u003e client_hostname;\n else\n s = (char *)0;\n\n\n...... \n\n sprintf (msgbuf, \"DHCPREQUEST for %s%s from %s %s%s%svia %s\",\n piaddr (cip), smbuf,\n (packet -\u003e raw -\u003e htype\n ? print_hw_addr (packet -\u003e raw -\u003e htype,\n packet -\u003e raw -\u003e hlen,\n packet -\u003e raw -\u003e chaddr)\n : (lease\n ? print_hex_1 (lease -\u003e uid_len, lease -\u003e uid,\n lease -\u003e uid_len)\n : \"\u003cno identifier\u003e\")),\n s ? \"(\" : \"\", s ? s : \"\", s ? \") \" : \"\",\n packet -\u003e raw -\u003e giaddr.s_addr\n ? inet_ntoa (packet -\u003e raw -\u003e giaddr)\n : packet -\u003e interface -\u003e name);\n\n\nTo summarize, s is referencing the reassembled hostname option passed to \nthe daemon, afterwhat it is used as is in sprintf and stored in msgbuf \n(fixed size) without any length checking. \nlocal msgbuf can obviously be overrun, corrupting various structures in \nstack and eventually causing the server to crash\nNote that the call to db_printable( ), filtering hostname, may render \nthe task harder to root a server but likely not impossible. \nAlso being able to corrupt structures like *lease or *oc may have \ninteresting side effects from an attacker perspective. \n\nvoid dhcprequest (packet, ms_nulltp, ip_lease)\n struct packet *packet;\n int ms_nulltp;\n struct lease *ip_lease;\n{\n struct lease *lease;\n struct iaddr cip;\n struct iaddr sip;\n struct subnet *subnet;\n int ours = 0;\n struct option_cache *oc;\n struct data_string data;\n int status;\n char msgbuf [1024]; /* XXX */\n char *s;\n char smbuf [19];\n\n.... \n\nthe very same problem is present in dhcpdiscover( ), dhcpdecline( ), \ndhcprequest( ) , dhcprelease( ), ... \nplease look at the diff in unified format, attached to this email, for a \ndetailed list",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0461"
},
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
}
],
"trust": 3.69
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#654390",
"trust": 3.5
},
{
"db": "USCERT",
"id": "TA04-174A",
"trust": 2.9
},
{
"db": "NVD",
"id": "CVE-2004-0461",
"trust": 2.8
},
{
"db": "BID",
"id": "10591",
"trust": 2.8
},
{
"db": "CERT/CC",
"id": "VU#317350",
"trust": 1.8
},
{
"db": "SECUNIA",
"id": "23265",
"trust": 1.8
},
{
"db": "XF",
"id": "16476",
"trust": 1.4
},
{
"db": "XF",
"id": "16475",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117",
"trust": 0.7
},
{
"db": "SUSE",
"id": "SUSE-SA:2004:019",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040708 [OPENPKG-SA-2004.031] OPENPKG SECURITY ADVISORY (DHCPD)",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040622 DHCP VULN // NO CODE 0DAY //",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040628 ISC DHCP OVERFLOWS",
"trust": 0.6
},
{
"db": "CERT/CC",
"id": "TA04-174A",
"trust": 0.6
},
{
"db": "MANDRAKE",
"id": "MDKSA-2004:061",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-8891",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "52810",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33622",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33664",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"id": "VAR-200408-0175",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-8891"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-03T22:09:54.035000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ISC Dynamic Host Configuration Protocol (DHCP)",
"trust": 0.8,
"url": "https://www.isc.org/sw/dhcp/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-174a.html"
},
{
"trust": 2.7,
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/10591"
},
{
"trust": 1.8,
"url": "http://www.xerox.com/downloads/usa/en/c/cert_xrx06_004_v11.pdf"
},
{
"trust": 1.7,
"url": "http://www.mandriva.com/security/advisories?name=mdksa-2004:061"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/23265"
},
{
"trust": 1.7,
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"trust": 1.6,
"url": "about vulnerability notes"
},
{
"trust": 1.6,
"url": "contact us about this vulnerability"
},
{
"trust": 1.6,
"url": "provide a vendor statement"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/16476"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"trust": 1.0,
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0461"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/xforce/xfdb/16475"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnta04-174a/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/trta04-174a"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2004-0461"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108843959502356\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"trust": 0.3,
"url": "http://www.mandrakesoft.com/security/advisories?name=mdksa-2004:061"
},
{
"trust": 0.3,
"url": "/archive/1/367286"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108795911203342\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108843959502356\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108938625206063\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://www.xerox.com/downloads/usa/en/c/cert_xrx06_006_v1b.pdf"
},
{
"trust": 0.1,
"url": "http://secunia.com/software_inspector/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/23265/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4746/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4553/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-174a.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/legal.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.isc.org/sw/dhcp/"
},
{
"trust": 0.1,
"url": "http://www.isc.org/products/dhcp"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#317350"
},
{
"db": "CERT/CC",
"id": "VU#654390"
},
{
"db": "VULHUB",
"id": "VHN-8891"
},
{
"db": "BID",
"id": "10591"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"db": "PACKETSTORM",
"id": "52810"
},
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "PACKETSTORM",
"id": "33664"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-06-22T00:00:00",
"db": "CERT/CC",
"id": "VU#317350"
},
{
"date": "2004-06-22T00:00:00",
"db": "CERT/CC",
"id": "VU#654390"
},
{
"date": "2004-08-06T00:00:00",
"db": "VULHUB",
"id": "VHN-8891"
},
{
"date": "2004-06-22T00:00:00",
"db": "BID",
"id": "10591"
},
{
"date": "2009-04-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"date": "2006-12-07T06:24:29",
"db": "PACKETSTORM",
"id": "52810"
},
{
"date": "2004-06-22T23:37:13",
"db": "PACKETSTORM",
"id": "33622"
},
{
"date": "2004-06-28T00:42:00",
"db": "PACKETSTORM",
"id": "33664"
},
{
"date": "2004-06-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"date": "2004-08-06T04:00:00",
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-07-13T00:00:00",
"db": "CERT/CC",
"id": "VU#317350"
},
{
"date": "2004-07-21T00:00:00",
"db": "CERT/CC",
"id": "VU#654390"
},
{
"date": "2017-07-11T00:00:00",
"db": "VULHUB",
"id": "VHN-8891"
},
{
"date": "2009-07-12T05:16:00",
"db": "BID",
"id": "10591"
},
{
"date": "2009-04-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000617"
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-117"
},
{
"date": "2025-04-03T01:03:51.193000",
"db": "NVD",
"id": "CVE-2004-0461"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "33622"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ISC DHCP contains a stack buffer overflow vulnerability in handling log lines containing ASCII characters only",
"sources": [
{
"db": "CERT/CC",
"id": "VU#317350"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "10591"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-117"
}
],
"trust": 0.9
}
}
CVE-2019-6470 (GCVE-0-2019-6470)
Vulnerability from nvd – Published: 2019-11-01 22:15 – Updated: 2024-09-17 01:25
VLAI?
Title
dhcpd: use-after-free error leads crash in IPv6 mode when using mismatched BIND libraries
Summary
There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation.
Severity ?
6.5 (Medium)
CWE
- A use-after-free error in DHCPv6 processing when interfacing with newer BIND libraries leads to frequent crashes
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Multiple, non-ISC | dhcpd |
Affected:
builds not wholly from ISC source < 4.4.1
|
Date Public ?
2019-05-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:23:21.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2060"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122"
},
{
"name": "RHSA-2019:3525",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3525"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dhcpd",
"vendor": "Multiple, non-ISC",
"versions": [
{
"status": "affected",
"version": "builds not wholly from ISC source \u003c 4.4.1"
}
]
}
],
"datePublic": "2019-05-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "A use-after-free error in DHCPv6 processing when interfacing with newer BIND libraries leads to frequent crashes",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:08:09.000Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2060"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122"
},
{
"name": "RHSA-2019:3525",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3525"
}
],
"source": {
"discovery": "USER"
},
"title": "dhcpd: use-after-free error leads crash in IPv6 mode when using mismatched BIND libraries",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-officer@isc.org",
"DATE_PUBLIC": "2019-05-11T12:00:00.000Z",
"ID": "CVE-2019-6470",
"STATE": "PUBLIC",
"TITLE": "dhcpd: use-after-free error leads crash in IPv6 mode when using mismatched BIND libraries"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dhcpd",
"version": {
"version_data": [
{
"version_name": "builds not wholly from ISC source",
"version_value": "\u003c 4.4.1"
}
]
}
}
]
},
"vendor_name": "Multiple, non-ISC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "A use-after-free error in DHCPv6 processing when interfacing with newer BIND libraries leads to frequent crashes"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/errata/RHSA-2019:2060",
"refsource": "CONFIRM",
"url": "https://access.redhat.com/errata/RHSA-2019:2060"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html",
"refsource": "CONFIRM",
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html",
"refsource": "CONFIRM",
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122"
},
{
"name": "RHSA-2019:3525",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3525"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2019-6470",
"datePublished": "2019-11-01T22:15:33.599Z",
"dateReserved": "2019-01-16T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:25:37.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-3122 (GCVE-0-2006-3122)
Vulnerability from nvd – Published: 2006-08-09 22:00 – Updated: 2024-08-07 18:16
VLAI?
Summary
The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with "corrupt lease uid."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Date Public ?
2006-07-28 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:16:05.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273"
},
{
"name": "DSA-1143",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2006/dsa-1143"
},
{
"name": "ADV-2006-3158",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/3158"
},
{
"name": "21655",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21655"
},
{
"name": "21363",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21363"
},
{
"name": "[3.9] 20060825 006: SECURITY FIX: August 25, 2006",
"tags": [
"vendor-advisory",
"x_refsource_OPENBSD",
"x_transferred"
],
"url": "http://www.openbsd.org/errata.html#dhcpd"
},
{
"name": "19348",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/19348"
},
{
"name": "21345",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21345"
},
{
"name": "1016755",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1016755"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-07-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with \"corrupt lease uid.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2006-08-18T09:00:00.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273"
},
{
"name": "DSA-1143",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2006/dsa-1143"
},
{
"name": "ADV-2006-3158",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/3158"
},
{
"name": "21655",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21655"
},
{
"name": "21363",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21363"
},
{
"name": "[3.9] 20060825 006: SECURITY FIX: August 25, 2006",
"tags": [
"vendor-advisory",
"x_refsource_OPENBSD"
],
"url": "http://www.openbsd.org/errata.html#dhcpd"
},
{
"name": "19348",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/19348"
},
{
"name": "21345",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21345"
},
{
"name": "1016755",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1016755"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2006-3122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with \"corrupt lease uid.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273",
"refsource": "MISC",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273"
},
{
"name": "DSA-1143",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2006/dsa-1143"
},
{
"name": "ADV-2006-3158",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/3158"
},
{
"name": "21655",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21655"
},
{
"name": "21363",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21363"
},
{
"name": "[3.9] 20060825 006: SECURITY FIX: August 25, 2006",
"refsource": "OPENBSD",
"url": "http://www.openbsd.org/errata.html#dhcpd"
},
{
"name": "19348",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/19348"
},
{
"name": "21345",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21345"
},
{
"name": "1016755",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1016755"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2006-3122",
"datePublished": "2006-08-09T22:00:00.000Z",
"dateReserved": "2006-06-21T00:00:00.000Z",
"dateUpdated": "2024-08-07T18:16:05.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2004-1006 (GCVE-0-2004-1006)
Vulnerability from nvd – Published: 2004-11-19 05:00 – Updated: 2024-08-08 00:39
VLAI?
Summary
Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Date Public ?
2004-10-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:39:00.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20041105 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=109968710822449\u0026w=2"
},
{
"name": "VU#448384",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/448384"
},
{
"name": "11591",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/11591"
},
{
"name": "20041025 debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html"
},
{
"name": "DSA-584",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2004/dsa-584"
},
{
"name": "dhcp-log-format-string(17963)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17963"
},
{
"name": "20041102 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html"
},
{
"name": "RHSA-2005:212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2005-212.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-10-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20041105 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=109968710822449\u0026w=2"
},
{
"name": "VU#448384",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/448384"
},
{
"name": "11591",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/11591"
},
{
"name": "20041025 debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html"
},
{
"name": "DSA-584",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2004/dsa-584"
},
{
"name": "dhcp-log-format-string(17963)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17963"
},
{
"name": "20041102 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html"
},
{
"name": "RHSA-2005:212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2005-212.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-1006",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20041105 Re: debian dhcpd, old format string bug",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=109968710822449\u0026w=2"
},
{
"name": "VU#448384",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/448384"
},
{
"name": "11591",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/11591"
},
{
"name": "20041025 debian dhcpd, old format string bug",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html"
},
{
"name": "DSA-584",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2004/dsa-584"
},
{
"name": "dhcp-log-format-string(17963)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17963"
},
{
"name": "20041102 Re: debian dhcpd, old format string bug",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html"
},
{
"name": "RHSA-2005:212",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2005-212.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-1006",
"datePublished": "2004-11-19T05:00:00.000Z",
"dateReserved": "2004-11-02T00:00:00.000Z",
"dateUpdated": "2024-08-08T00:39:00.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2004-0461 (GCVE-0-2004-0461)
Vulnerability from nvd – Published: 2004-06-24 04:00 – Updated: 2024-08-08 00:17
VLAI?
Summary
The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Date Public ?
2004-06-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:17:15.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#654390",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"name": "dhcp-c-include-bo(16476)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "10591",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/10591"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-06-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#654390",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"name": "dhcp-c-include-bo(16476)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "10591",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/10591"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-0461",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#654390",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"name": "dhcp-c-include-bo(16476)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"name": "MDKSA-2004:061",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "10591",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/10591"
},
{
"name": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf",
"refsource": "CONFIRM",
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-0461",
"datePublished": "2004-06-24T04:00:00.000Z",
"dateReserved": "2004-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-08T00:17:15.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2004-0460 (GCVE-0-2004-0460)
Vulnerability from nvd – Published: 2004-06-24 04:00 – Updated: 2024-08-08 00:17
VLAI?
Summary
Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Date Public ?
2004-06-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:17:15.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#317350",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"name": "10590",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/10590"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "dhcp-ascii-log-bo(16475)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-06-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#317350",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"name": "10590",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/10590"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "dhcp-ascii-log-bo(16475)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-0460",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#317350",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"name": "10590",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/10590"
},
{
"name": "MDKSA-2004:061",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "dhcp-ascii-log-bo(16475)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"name": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf",
"refsource": "CONFIRM",
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-0460",
"datePublished": "2004-06-24T04:00:00.000Z",
"dateReserved": "2004-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-08T00:17:15.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2003-0039 (GCVE-0-2003-0039)
Vulnerability from nvd – Published: 2004-09-01 04:00 – Updated: 2024-08-08 01:43
VLAI?
Summary
ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Date Public ?
2003-01-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T01:43:35.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CLSA-2003:616",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000616"
},
{
"name": "VU#149953",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/149953"
},
{
"name": "DSA-245",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2003/dsa-245"
},
{
"name": "TLSA-2003-26",
"tags": [
"vendor-advisory",
"x_refsource_TURBO",
"x_transferred"
],
"url": "http://cc.turbolinux.com/security/TLSA-2003-26.txt"
},
{
"name": "RHSA-2003:034",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-034.html"
},
{
"name": "20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html"
},
{
"name": "dhcp-dhcrelay-dos(11187)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11187"
},
{
"name": "20030115 DoS against DHCP infrastructure with isc dhcrelay",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=104310927813830\u0026w=2"
},
{
"name": "6628",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/6628"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2003-01-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-02-07T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "CLSA-2003:616",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000616"
},
{
"name": "VU#149953",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/149953"
},
{
"name": "DSA-245",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2003/dsa-245"
},
{
"name": "TLSA-2003-26",
"tags": [
"vendor-advisory",
"x_refsource_TURBO"
],
"url": "http://cc.turbolinux.com/security/TLSA-2003-26.txt"
},
{
"name": "RHSA-2003:034",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-034.html"
},
{
"name": "20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html"
},
{
"name": "dhcp-dhcrelay-dos(11187)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11187"
},
{
"name": "20030115 DoS against DHCP infrastructure with isc dhcrelay",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=104310927813830\u0026w=2"
},
{
"name": "6628",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/6628"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0039",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "CLSA-2003:616",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000616"
},
{
"name": "VU#149953",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/149953"
},
{
"name": "DSA-245",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2003/dsa-245"
},
{
"name": "TLSA-2003-26",
"refsource": "TURBO",
"url": "http://cc.turbolinux.com/security/TLSA-2003-26.txt"
},
{
"name": "RHSA-2003:034",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-034.html"
},
{
"name": "20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)",
"refsource": "BUGTRAQ",
"url": "http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html"
},
{
"name": "dhcp-dhcrelay-dos(11187)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11187"
},
{
"name": "20030115 DoS against DHCP infrastructure with isc dhcrelay",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=104310927813830\u0026w=2"
},
{
"name": "6628",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/6628"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2003-0039",
"datePublished": "2004-09-01T04:00:00.000Z",
"dateReserved": "2003-01-27T00:00:00.000Z",
"dateUpdated": "2024-08-08T01:43:35.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2003-0026 (GCVE-0-2003-0026)
Vulnerability from nvd – Published: 2003-01-16 05:00 – Updated: 2024-08-08 01:36
VLAI?
Summary
Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
Date Public ?
2003-01-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T01:36:25.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2003:011",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-011.html"
},
{
"name": "OpenPKG-SA-2003.002",
"tags": [
"vendor-advisory",
"x_refsource_OPENPKG",
"x_transferred"
],
"url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html"
},
{
"name": "1005924",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1005924"
},
{
"name": "DSA-231",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2003/dsa-231"
},
{
"name": "6627",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/6627"
},
{
"name": "dhcpd-minires-multiple-bo(11073)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11073"
},
{
"name": "MDKSA-2003:007",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:007"
},
{
"name": "VU#284857",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/284857"
},
{
"name": "CA-2003-01",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.cert.org/advisories/CA-2003-01.html"
},
{
"name": "N-031",
"tags": [
"third-party-advisory",
"government-resource",
"x_refsource_CIAC",
"x_transferred"
],
"url": "http://www.ciac.org/ciac/bulletins/n-031.shtml"
},
{
"name": "SuSE-SA:2003:006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "20030122 [securityslackware.com: [slackware-security] New DHCP packages available]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html"
},
{
"name": "SuSE-SA:2003:0006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "CLA-2003:562",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000562"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2003-01-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2003:011",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-011.html"
},
{
"name": "OpenPKG-SA-2003.002",
"tags": [
"vendor-advisory",
"x_refsource_OPENPKG"
],
"url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html"
},
{
"name": "1005924",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1005924"
},
{
"name": "DSA-231",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2003/dsa-231"
},
{
"name": "6627",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/6627"
},
{
"name": "dhcpd-minires-multiple-bo(11073)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11073"
},
{
"name": "MDKSA-2003:007",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:007"
},
{
"name": "VU#284857",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/284857"
},
{
"name": "CA-2003-01",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.cert.org/advisories/CA-2003-01.html"
},
{
"name": "N-031",
"tags": [
"third-party-advisory",
"government-resource",
"x_refsource_CIAC"
],
"url": "http://www.ciac.org/ciac/bulletins/n-031.shtml"
},
{
"name": "SuSE-SA:2003:006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "20030122 [securityslackware.com: [slackware-security] New DHCP packages available]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html"
},
{
"name": "SuSE-SA:2003:0006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "CLA-2003:562",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000562"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2003:011",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-011.html"
},
{
"name": "OpenPKG-SA-2003.002",
"refsource": "OPENPKG",
"url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html"
},
{
"name": "1005924",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1005924"
},
{
"name": "DSA-231",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2003/dsa-231"
},
{
"name": "6627",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/6627"
},
{
"name": "dhcpd-minires-multiple-bo(11073)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11073"
},
{
"name": "MDKSA-2003:007",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:007"
},
{
"name": "VU#284857",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/284857"
},
{
"name": "CA-2003-01",
"refsource": "CERT",
"url": "http://www.cert.org/advisories/CA-2003-01.html"
},
{
"name": "N-031",
"refsource": "CIAC",
"url": "http://www.ciac.org/ciac/bulletins/n-031.shtml"
},
{
"name": "SuSE-SA:2003:006",
"refsource": "SUSE",
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "20030122 [securityslackware.com: [slackware-security] New DHCP packages available]",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html"
},
{
"name": "SuSE-SA:2003:0006",
"refsource": "SUSE",
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "CLA-2003:562",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000562"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2003-0026",
"datePublished": "2003-01-16T05:00:00.000Z",
"dateReserved": "2003-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-08T01:36:25.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2002-0702 (GCVE-0-2002-0702)
Vulnerability from nvd – Published: 2002-07-23 04:00 – Updated: 2024-08-08 02:56
VLAI?
Summary
Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Date Public ?
2002-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T02:56:38.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "4701",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/4701"
},
{
"name": "VU#854315",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/854315"
},
{
"name": "SuSE-SA:2002:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2002_19_dhcp.html"
},
{
"name": "CA-2002-12",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.cert.org/advisories/CA-2002-12.html"
},
{
"name": "20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=102089498828206\u0026w=2"
},
{
"name": "CLA-2002:483",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000483"
},
{
"name": "MDKSA-2002:037",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php"
},
{
"name": "20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_VULNWATCH",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html"
},
{
"name": "dhcpd-nsupdate-format-string(9039)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "http://www.iss.net/security_center/static/9039.php"
},
{
"name": "CSSA-2002-028.0",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA",
"x_transferred"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2002-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-17T13:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "4701",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/4701"
},
{
"name": "VU#854315",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/854315"
},
{
"name": "SuSE-SA:2002:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2002_19_dhcp.html"
},
{
"name": "CA-2002-12",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.cert.org/advisories/CA-2002-12.html"
},
{
"name": "20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=102089498828206\u0026w=2"
},
{
"name": "CLA-2002:483",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000483"
},
{
"name": "MDKSA-2002:037",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php"
},
{
"name": "20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_VULNWATCH"
],
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html"
},
{
"name": "dhcpd-nsupdate-format-string(9039)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "http://www.iss.net/security_center/static/9039.php"
},
{
"name": "CSSA-2002-028.0",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "4701",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/4701"
},
{
"name": "VU#854315",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/854315"
},
{
"name": "SuSE-SA:2002:019",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2002_19_dhcp.html"
},
{
"name": "CA-2002-12",
"refsource": "CERT",
"url": "http://www.cert.org/advisories/CA-2002-12.html"
},
{
"name": "20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=102089498828206\u0026w=2"
},
{
"name": "CLA-2002:483",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000483"
},
{
"name": "MDKSA-2002:037",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php"
},
{
"name": "20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"refsource": "VULNWATCH",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html"
},
{
"name": "dhcpd-nsupdate-format-string(9039)",
"refsource": "XF",
"url": "http://www.iss.net/security_center/static/9039.php"
},
{
"name": "CSSA-2002-028.0",
"refsource": "CALDERA",
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2002-0702",
"datePublished": "2002-07-23T04:00:00.000Z",
"dateReserved": "2002-07-16T00:00:00.000Z",
"dateUpdated": "2024-08-08T02:56:38.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-6470 (GCVE-0-2019-6470)
Vulnerability from cvelistv5 – Published: 2019-11-01 22:15 – Updated: 2024-09-17 01:25
VLAI?
Title
dhcpd: use-after-free error leads crash in IPv6 mode when using mismatched BIND libraries
Summary
There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation.
Severity ?
6.5 (Medium)
CWE
- A use-after-free error in DHCPv6 processing when interfacing with newer BIND libraries leads to frequent crashes
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Multiple, non-ISC | dhcpd |
Affected:
builds not wholly from ISC source < 4.4.1
|
Date Public ?
2019-05-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:23:21.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2060"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122"
},
{
"name": "RHSA-2019:3525",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3525"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dhcpd",
"vendor": "Multiple, non-ISC",
"versions": [
{
"status": "affected",
"version": "builds not wholly from ISC source \u003c 4.4.1"
}
]
}
],
"datePublic": "2019-05-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "A use-after-free error in DHCPv6 processing when interfacing with newer BIND libraries leads to frequent crashes",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:08:09.000Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2060"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122"
},
{
"name": "RHSA-2019:3525",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3525"
}
],
"source": {
"discovery": "USER"
},
"title": "dhcpd: use-after-free error leads crash in IPv6 mode when using mismatched BIND libraries",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-officer@isc.org",
"DATE_PUBLIC": "2019-05-11T12:00:00.000Z",
"ID": "CVE-2019-6470",
"STATE": "PUBLIC",
"TITLE": "dhcpd: use-after-free error leads crash in IPv6 mode when using mismatched BIND libraries"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dhcpd",
"version": {
"version_data": [
{
"version_name": "builds not wholly from ISC source",
"version_value": "\u003c 4.4.1"
}
]
}
}
]
},
"vendor_name": "Multiple, non-ISC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Some third-party packagers of ISC software have modified the dhcpd source, BIND source, or version matchup in ways that create the crash potential. Based on reports available to ISC, the crash probability is large and no analysis has been done on how, or even if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug fixes backported to them. ISC does not have access to comprehensive version lists for all repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also be affected. Operators are advised to consult their vendor documentation."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "A use-after-free error in DHCPv6 processing when interfacing with newer BIND libraries leads to frequent crashes"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/errata/RHSA-2019:2060",
"refsource": "CONFIRM",
"url": "https://access.redhat.com/errata/RHSA-2019:2060"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html",
"refsource": "CONFIRM",
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00049.html"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html",
"refsource": "CONFIRM",
"url": "https://lists.opensuse.org/opensuse-security-announce/2019-10/msg00048.html"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896122"
},
{
"name": "RHSA-2019:3525",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3525"
}
]
},
"source": {
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2019-6470",
"datePublished": "2019-11-01T22:15:33.599Z",
"dateReserved": "2019-01-16T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:25:37.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-3122 (GCVE-0-2006-3122)
Vulnerability from cvelistv5 – Published: 2006-08-09 22:00 – Updated: 2024-08-07 18:16
VLAI?
Summary
The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with "corrupt lease uid."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Date Public ?
2006-07-28 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:16:05.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273"
},
{
"name": "DSA-1143",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2006/dsa-1143"
},
{
"name": "ADV-2006-3158",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/3158"
},
{
"name": "21655",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21655"
},
{
"name": "21363",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21363"
},
{
"name": "[3.9] 20060825 006: SECURITY FIX: August 25, 2006",
"tags": [
"vendor-advisory",
"x_refsource_OPENBSD",
"x_transferred"
],
"url": "http://www.openbsd.org/errata.html#dhcpd"
},
{
"name": "19348",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/19348"
},
{
"name": "21345",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21345"
},
{
"name": "1016755",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1016755"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-07-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with \"corrupt lease uid.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2006-08-18T09:00:00.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273"
},
{
"name": "DSA-1143",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2006/dsa-1143"
},
{
"name": "ADV-2006-3158",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/3158"
},
{
"name": "21655",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21655"
},
{
"name": "21363",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21363"
},
{
"name": "[3.9] 20060825 006: SECURITY FIX: August 25, 2006",
"tags": [
"vendor-advisory",
"x_refsource_OPENBSD"
],
"url": "http://www.openbsd.org/errata.html#dhcpd"
},
{
"name": "19348",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/19348"
},
{
"name": "21345",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21345"
},
{
"name": "1016755",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1016755"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2006-3122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2.0pl5 allows remote attackers to cause a denial of service (application crash) via a DHCPDISCOVER packet with a 32 byte client-identifier, which causes the packet to be interpreted as a corrupt uid and causes the server to exit with \"corrupt lease uid.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273",
"refsource": "MISC",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380273"
},
{
"name": "DSA-1143",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2006/dsa-1143"
},
{
"name": "ADV-2006-3158",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/3158"
},
{
"name": "21655",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21655"
},
{
"name": "21363",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21363"
},
{
"name": "[3.9] 20060825 006: SECURITY FIX: August 25, 2006",
"refsource": "OPENBSD",
"url": "http://www.openbsd.org/errata.html#dhcpd"
},
{
"name": "19348",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/19348"
},
{
"name": "21345",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21345"
},
{
"name": "1016755",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1016755"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2006-3122",
"datePublished": "2006-08-09T22:00:00.000Z",
"dateReserved": "2006-06-21T00:00:00.000Z",
"dateUpdated": "2024-08-07T18:16:05.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2004-1006 (GCVE-0-2004-1006)
Vulnerability from cvelistv5 – Published: 2004-11-19 05:00 – Updated: 2024-08-08 00:39
VLAI?
Summary
Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Date Public ?
2004-10-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:39:00.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20041105 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=109968710822449\u0026w=2"
},
{
"name": "VU#448384",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/448384"
},
{
"name": "11591",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/11591"
},
{
"name": "20041025 debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html"
},
{
"name": "DSA-584",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2004/dsa-584"
},
{
"name": "dhcp-log-format-string(17963)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17963"
},
{
"name": "20041102 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html"
},
{
"name": "RHSA-2005:212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2005-212.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-10-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20041105 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=109968710822449\u0026w=2"
},
{
"name": "VU#448384",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/448384"
},
{
"name": "11591",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/11591"
},
{
"name": "20041025 debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html"
},
{
"name": "DSA-584",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2004/dsa-584"
},
{
"name": "dhcp-log-format-string(17963)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17963"
},
{
"name": "20041102 Re: debian dhcpd, old format string bug",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html"
},
{
"name": "RHSA-2005:212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2005-212.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-1006",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20041105 Re: debian dhcpd, old format string bug",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=109968710822449\u0026w=2"
},
{
"name": "VU#448384",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/448384"
},
{
"name": "11591",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/11591"
},
{
"name": "20041025 debian dhcpd, old format string bug",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-10/0287.html"
},
{
"name": "DSA-584",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2004/dsa-584"
},
{
"name": "dhcp-log-format-string(17963)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17963"
},
{
"name": "20041102 Re: debian dhcpd, old format string bug",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2004-11/0037.html"
},
{
"name": "RHSA-2005:212",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2005-212.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-1006",
"datePublished": "2004-11-19T05:00:00.000Z",
"dateReserved": "2004-11-02T00:00:00.000Z",
"dateUpdated": "2024-08-08T00:39:00.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2003-0039 (GCVE-0-2003-0039)
Vulnerability from cvelistv5 – Published: 2004-09-01 04:00 – Updated: 2024-08-08 01:43
VLAI?
Summary
ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Date Public ?
2003-01-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T01:43:35.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CLSA-2003:616",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000616"
},
{
"name": "VU#149953",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/149953"
},
{
"name": "DSA-245",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2003/dsa-245"
},
{
"name": "TLSA-2003-26",
"tags": [
"vendor-advisory",
"x_refsource_TURBO",
"x_transferred"
],
"url": "http://cc.turbolinux.com/security/TLSA-2003-26.txt"
},
{
"name": "RHSA-2003:034",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-034.html"
},
{
"name": "20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html"
},
{
"name": "dhcp-dhcrelay-dos(11187)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11187"
},
{
"name": "20030115 DoS against DHCP infrastructure with isc dhcrelay",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=104310927813830\u0026w=2"
},
{
"name": "6628",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/6628"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2003-01-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-02-07T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "CLSA-2003:616",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000616"
},
{
"name": "VU#149953",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/149953"
},
{
"name": "DSA-245",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2003/dsa-245"
},
{
"name": "TLSA-2003-26",
"tags": [
"vendor-advisory",
"x_refsource_TURBO"
],
"url": "http://cc.turbolinux.com/security/TLSA-2003-26.txt"
},
{
"name": "RHSA-2003:034",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-034.html"
},
{
"name": "20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html"
},
{
"name": "dhcp-dhcrelay-dos(11187)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11187"
},
{
"name": "20030115 DoS against DHCP infrastructure with isc dhcrelay",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=104310927813830\u0026w=2"
},
{
"name": "6628",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/6628"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0039",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "CLSA-2003:616",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000616"
},
{
"name": "VU#149953",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/149953"
},
{
"name": "DSA-245",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2003/dsa-245"
},
{
"name": "TLSA-2003-26",
"refsource": "TURBO",
"url": "http://cc.turbolinux.com/security/TLSA-2003-26.txt"
},
{
"name": "RHSA-2003:034",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-034.html"
},
{
"name": "20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd)",
"refsource": "BUGTRAQ",
"url": "http://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.html"
},
{
"name": "dhcp-dhcrelay-dos(11187)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11187"
},
{
"name": "20030115 DoS against DHCP infrastructure with isc dhcrelay",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=104310927813830\u0026w=2"
},
{
"name": "6628",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/6628"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2003-0039",
"datePublished": "2004-09-01T04:00:00.000Z",
"dateReserved": "2003-01-27T00:00:00.000Z",
"dateUpdated": "2024-08-08T01:43:35.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2004-0461 (GCVE-0-2004-0461)
Vulnerability from cvelistv5 – Published: 2004-06-24 04:00 – Updated: 2024-08-08 00:17
VLAI?
Summary
The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Date Public ?
2004-06-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:17:15.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#654390",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"name": "dhcp-c-include-bo(16476)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "10591",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/10591"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-06-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#654390",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"name": "dhcp-c-include-bo(16476)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "10591",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/10591"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-0461",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#654390",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/654390"
},
{
"name": "dhcp-c-include-bo(16476)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16476"
},
{
"name": "MDKSA-2004:061",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "10591",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/10591"
},
{
"name": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf",
"refsource": "CONFIRM",
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-0461",
"datePublished": "2004-06-24T04:00:00.000Z",
"dateReserved": "2004-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-08T00:17:15.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2004-0460 (GCVE-0-2004-0460)
Vulnerability from cvelistv5 – Published: 2004-06-24 04:00 – Updated: 2024-08-08 00:17
VLAI?
Summary
Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Date Public ?
2004-06-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:17:15.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#317350",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"name": "10590",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/10590"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "dhcp-ascii-log-bo(16475)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-06-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#317350",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"name": "10590",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/10590"
},
{
"name": "MDKSA-2004:061",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "dhcp-ascii-log-bo(16475)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-0460",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#317350",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/317350"
},
{
"name": "10590",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/10590"
},
{
"name": "MDKSA-2004:061",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:061"
},
{
"name": "23265",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23265"
},
{
"name": "20040622 DHCP Vuln // no code 0day //",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108795911203342\u0026w=2"
},
{
"name": "20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108938625206063\u0026w=2"
},
{
"name": "SuSE-SA:2004:019",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2004_19_dhcp_server.html"
},
{
"name": "dhcp-ascii-log-bo(16475)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16475"
},
{
"name": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf",
"refsource": "CONFIRM",
"url": "http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf"
},
{
"name": "TA04-174A",
"refsource": "CERT",
"url": "http://www.us-cert.gov/cas/techalerts/TA04-174A.html"
},
{
"name": "20040628 ISC DHCP overflows",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108843959502356\u0026w=2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-0460",
"datePublished": "2004-06-24T04:00:00.000Z",
"dateReserved": "2004-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-08T00:17:15.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2003-0026 (GCVE-0-2003-0026)
Vulnerability from cvelistv5 – Published: 2003-01-16 05:00 – Updated: 2024-08-08 01:36
VLAI?
Summary
Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2003-01-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T01:36:25.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2003:011",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-011.html"
},
{
"name": "OpenPKG-SA-2003.002",
"tags": [
"vendor-advisory",
"x_refsource_OPENPKG",
"x_transferred"
],
"url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html"
},
{
"name": "1005924",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1005924"
},
{
"name": "DSA-231",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2003/dsa-231"
},
{
"name": "6627",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/6627"
},
{
"name": "dhcpd-minires-multiple-bo(11073)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11073"
},
{
"name": "MDKSA-2003:007",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:007"
},
{
"name": "VU#284857",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/284857"
},
{
"name": "CA-2003-01",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.cert.org/advisories/CA-2003-01.html"
},
{
"name": "N-031",
"tags": [
"third-party-advisory",
"government-resource",
"x_refsource_CIAC",
"x_transferred"
],
"url": "http://www.ciac.org/ciac/bulletins/n-031.shtml"
},
{
"name": "SuSE-SA:2003:006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "20030122 [securityslackware.com: [slackware-security] New DHCP packages available]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html"
},
{
"name": "SuSE-SA:2003:0006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "CLA-2003:562",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000562"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2003-01-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2003:011",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-011.html"
},
{
"name": "OpenPKG-SA-2003.002",
"tags": [
"vendor-advisory",
"x_refsource_OPENPKG"
],
"url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html"
},
{
"name": "1005924",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1005924"
},
{
"name": "DSA-231",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2003/dsa-231"
},
{
"name": "6627",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/6627"
},
{
"name": "dhcpd-minires-multiple-bo(11073)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11073"
},
{
"name": "MDKSA-2003:007",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:007"
},
{
"name": "VU#284857",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/284857"
},
{
"name": "CA-2003-01",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.cert.org/advisories/CA-2003-01.html"
},
{
"name": "N-031",
"tags": [
"third-party-advisory",
"government-resource",
"x_refsource_CIAC"
],
"url": "http://www.ciac.org/ciac/bulletins/n-031.shtml"
},
{
"name": "SuSE-SA:2003:006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "20030122 [securityslackware.com: [slackware-security] New DHCP packages available]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html"
},
{
"name": "SuSE-SA:2003:0006",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "CLA-2003:562",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000562"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2003:011",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-011.html"
},
{
"name": "OpenPKG-SA-2003.002",
"refsource": "OPENPKG",
"url": "http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.002.html"
},
{
"name": "1005924",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1005924"
},
{
"name": "DSA-231",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2003/dsa-231"
},
{
"name": "6627",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/6627"
},
{
"name": "dhcpd-minires-multiple-bo(11073)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11073"
},
{
"name": "MDKSA-2003:007",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:007"
},
{
"name": "VU#284857",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/284857"
},
{
"name": "CA-2003-01",
"refsource": "CERT",
"url": "http://www.cert.org/advisories/CA-2003-01.html"
},
{
"name": "N-031",
"refsource": "CIAC",
"url": "http://www.ciac.org/ciac/bulletins/n-031.shtml"
},
{
"name": "SuSE-SA:2003:006",
"refsource": "SUSE",
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "20030122 [securityslackware.com: [slackware-security] New DHCP packages available]",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html"
},
{
"name": "SuSE-SA:2003:0006",
"refsource": "SUSE",
"url": "http://www.suse.com/de/security/2003_006_dhcp.html"
},
{
"name": "CLA-2003:562",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000562"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2003-0026",
"datePublished": "2003-01-16T05:00:00.000Z",
"dateReserved": "2003-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-08T01:36:25.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2002-0702 (GCVE-0-2002-0702)
Vulnerability from cvelistv5 – Published: 2002-07-23 04:00 – Updated: 2024-08-08 02:56
VLAI?
Summary
Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Date Public ?
2002-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T02:56:38.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "4701",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/4701"
},
{
"name": "VU#854315",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/854315"
},
{
"name": "SuSE-SA:2002:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2002_19_dhcp.html"
},
{
"name": "CA-2002-12",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.cert.org/advisories/CA-2002-12.html"
},
{
"name": "20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=102089498828206\u0026w=2"
},
{
"name": "CLA-2002:483",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000483"
},
{
"name": "MDKSA-2002:037",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php"
},
{
"name": "20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_VULNWATCH",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html"
},
{
"name": "dhcpd-nsupdate-format-string(9039)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "http://www.iss.net/security_center/static/9039.php"
},
{
"name": "CSSA-2002-028.0",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA",
"x_transferred"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2002-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-17T13:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "4701",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/4701"
},
{
"name": "VU#854315",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/854315"
},
{
"name": "SuSE-SA:2002:019",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2002_19_dhcp.html"
},
{
"name": "CA-2002-12",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.cert.org/advisories/CA-2002-12.html"
},
{
"name": "20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=102089498828206\u0026w=2"
},
{
"name": "CLA-2002:483",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000483"
},
{
"name": "MDKSA-2002:037",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php"
},
{
"name": "20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"tags": [
"mailing-list",
"x_refsource_VULNWATCH"
],
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html"
},
{
"name": "dhcpd-nsupdate-format-string(9039)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "http://www.iss.net/security_center/static/9039.php"
},
{
"name": "CSSA-2002-028.0",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "4701",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/4701"
},
{
"name": "VU#854315",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/854315"
},
{
"name": "SuSE-SA:2002:019",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2002_19_dhcp.html"
},
{
"name": "CA-2002-12",
"refsource": "CERT",
"url": "http://www.cert.org/advisories/CA-2002-12.html"
},
{
"name": "20020508 [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=102089498828206\u0026w=2"
},
{
"name": "CLA-2002:483",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000483"
},
{
"name": "MDKSA-2002:037",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-037.php"
},
{
"name": "20020508 [VulnWatch] [NGSEC-2002-2] ISC DHCPDv3, remote root compromise",
"refsource": "VULNWATCH",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html"
},
{
"name": "dhcpd-nsupdate-format-string(9039)",
"refsource": "XF",
"url": "http://www.iss.net/security_center/static/9039.php"
},
{
"name": "CSSA-2002-028.0",
"refsource": "CALDERA",
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-028.0.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2002-0702",
"datePublished": "2002-07-23T04:00:00.000Z",
"dateReserved": "2002-07-16T00:00:00.000Z",
"dateUpdated": "2024-08-08T02:56:38.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}