Debian Bug report logs - #380273
DHCP server exits unexpectedly on DHCPOFFER with specific client-identifier

version graph

Package: dhcp; Maintainer for dhcp is (unknown);

Reported by: Andrew Steets <asteets@wayport.net>

Date: Fri, 28 Jul 2006 21:33:21 UTC

Severity: grave

Tags: patch, security

Found in version dhcp/2.0pl5-19.1

Fixed in version dhcp/2.0pl5-19.5

Done: Andreas Barth <aba@not.so.argh.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#380273; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Andrew Steets <asteets@wayport.net>:
New Bug report received and forwarded. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andrew Steets <asteets@wayport.net>
To: submit@bugs.debian.org
Cc: mdz@debian.org, peloy@debian.org, security@debian.org
Subject: DHCP server exits unexpectedly on DHCPOFFER with specific client-identifier
Date: Fri, 28 Jul 2006 15:44:42 -0500
Package: dhcp
Version: 2.0pl5-19.1

There is a bug in ISC DHCP server version 2 that causes the server to
unexpectedly exit when it receieves a DHCPOFFER packet with a
client-identifier option which is exactly 32 bytes long.

A malicious user could use this as a sort of denial of service attack on
a version 2 dhcp server.  This does not appear to be a problem with the
dhcp version 3 server.

Explanation of the bug:
The DHCP server has a lease struct which contains a buffer (uid_buf)
which is 32 bytes long.  If it needs more space, it simply malloc's new
storage.  There is an edge condition in supersede_lease() from memory.c
that causes a 32 byte client-identifier to be mistakenly interpreted as
a corrupt uid, and so the server exits with the message "corrupt lease
uid."

To reproduce:
You can use the dhclient included in the dhcp package.  Set up a "send
dhcp-client-identifier" directive to send a 32 byte client-identifier,
and then activate dhclient.  The dhcp server will exit as soon as it
recieves the DHCPDISCOVER packet.

More info:
This is not a stack overflow issue.  There does not seem to be any
possibility of remote compromise from this issue. 

Windows clients generally do not send client-identifier options greater
than 6 bytes, but it looks like Mac OS X uses a longer string.  That is
how we originally noticed the issue.

The short patch below resolves the issue.

Andrew Steets
Wayport Software Engineering
asteets@wayport.net
(512) 519-6061


*** common/memory.c     1999-05-27 12:47:43.000000000 -0500
--- ../fixed/dhcp-2.0pl5/common/memory.c        2006-07-28 14:25:32.796953968 -0500
***************
*** 528,534 ****
                /* Copy the data files, but not the linkages. */
                comp -> starts = lease -> starts;
                if (lease -> uid) {
!                       if (lease -> uid_len < sizeof (lease -> uid_buf)) {
                                memcpy (comp -> uid_buf,
                                        lease -> uid, lease -> uid_len);
                                comp -> uid = &comp -> uid_buf [0];
--- 528,534 ----
                /* Copy the data files, but not the linkages. */
                comp -> starts = lease -> starts;
                if (lease -> uid) {
!                       if (lease -> uid_len <= sizeof (lease -> uid_buf)) {
                                memcpy (comp -> uid_buf,
                                        lease -> uid, lease -> uid_len);
                                comp -> uid = &comp -> uid_buf [0];





Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#380273; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #10 received at 380273@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Andrew Steets <asteets@wayport.net>
Cc: 380273@bugs.debian.org, mdz@debian.org, peloy@debian.org, security@debian.org
Subject: Re: DHCP server exits unexpectedly on DHCPOFFER with specific client-identifier
Date: Sat, 29 Jul 2006 12:11:02 +0200
I have assigned CVE-2006-3122 to this issue.

Eloy, please let us know which version in sid fixes the problem
when you upload a package.

Andrew, is it ok when we credit you in the advisory for discovery?

Andrew Steets wrote:
> There is a bug in ISC DHCP server version 2 that causes the server to
> unexpectedly exit when it receieves a DHCPOFFER packet with a
> client-identifier option which is exactly 32 bytes long.
> 
> A malicious user could use this as a sort of denial of service attack on
> a version 2 dhcp server.  This does not appear to be a problem with the
> dhcp version 3 server.
> 
> Explanation of the bug:
> The DHCP server has a lease struct which contains a buffer (uid_buf)
> which is 32 bytes long.  If it needs more space, it simply malloc's new
> storage.  There is an edge condition in supersede_lease() from memory.c
> that causes a 32 byte client-identifier to be mistakenly interpreted as
> a corrupt uid, and so the server exits with the message "corrupt lease
> uid."

Well spotted!

Thanks a lot for the research and the patch.

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.



Severity set to `grave' from `normal' Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Andreas Barth <aba@not.so.argh.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#380273; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #21 received at 380273@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: 380273@bugs.debian.org, 322860@bugs.debian.org
Subject: NMU uploaded
Date: Mon, 4 Dec 2006 16:49:38 +0100
Hi,

I uploaded an NMU of your package.

Please see this as help to get the package into a releaseable condition for
etch.

Please find the used diff below.


Cheers,
Andi

diff -Nur ../dhcp-2.0pl5~/debian/changelog ../dhcp-2.0pl5/debian/changelog
--- ../dhcp-2.0pl5~/debian/changelog	2006-12-04 15:14:36.000000000 +0000
+++ ../dhcp-2.0pl5/debian/changelog	2006-12-04 15:40:22.000000000 +0000
@@ -1,3 +1,13 @@
+dhcp (2.0pl5-19.5) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Add 117_fix_CVE-2006-3122 to fix remote DOS, CVE-2006-3122.
+    Thanks to Andrew Steets for detecting and the patch. Closes: #380273
+  * Update 202_script_resolvconf-support to not break resolv.conf even if
+    domain_name is empty/undefined.  Closes: #322860
+
+ -- Andreas Barth <aba@not.so.argh.org>  Mon,  4 Dec 2006 15:15:00 +0000
+
 dhcp (2.0pl5-19.4) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nur ../dhcp-2.0pl5~/debian/patches/117_fix_CVE-2006-3122.patch ../dhcp-2.0pl5/debian/patches/117_fix_CVE-2006-3122.patch
--- ../dhcp-2.0pl5~/debian/patches/117_fix_CVE-2006-3122.patch	1970-01-01 00:00:00.000000000 +0000
+++ ../dhcp-2.0pl5/debian/patches/117_fix_CVE-2006-3122.patch	2006-12-04 15:34:17.000000000 +0000
@@ -0,0 +1,12 @@
+diff -ur dhcp-2.0pl5~/common/memory.c dhcp-2.0pl5/common/memory.c
+--- dhcp-2.0pl5~/common/memory.c	1999-05-27 17:47:43.000000000 +0000
++++ dhcp-2.0pl5/common/memory.c	2006-12-04 15:17:05.000000000 +0000
+@@ -528,7 +528,7 @@
+ 		/* Copy the data files, but not the linkages. */
+ 		comp -> starts = lease -> starts;
+ 		if (lease -> uid) {
+-			if (lease -> uid_len < sizeof (lease -> uid_buf)) {
++			if (lease -> uid_len <= sizeof (lease -> uid_buf)) {
+ 				memcpy (comp -> uid_buf,
+ 					lease -> uid, lease -> uid_len);
+ 				comp -> uid = &comp -> uid_buf [0];
diff -Nur ../dhcp-2.0pl5~/debian/patches/202_script_resolvconf-support.patch ../dhcp-2.0pl5/debian/patches/202_script_resolvconf-support.patch
--- ../dhcp-2.0pl5~/debian/patches/202_script_resolvconf-support.patch	2006-12-04 15:14:36.000000000 +0000
+++ ../dhcp-2.0pl5/debian/patches/202_script_resolvconf-support.patch	2006-12-04 15:40:03.000000000 +0000
@@ -8,7 +8,7 @@
  
  # Notes:
  
-@@ -32,12 +33,32 @@
+@@ -32,12 +33,35 @@
    exit $exit_status
  }
  
@@ -34,7 +34,10 @@
 +  }
 +else
 +  make_resolv_conf() {
-+    echo search $new_domain_name >/etc/resolv.conf
++    : >/etc/resolv.conf
++    if [ "$new_domain_name" ]; then
++      echo search $new_domain_name >>/etc/resolv.conf
++    fi
 +    for nameserver in $new_domain_name_servers; do
 +      echo nameserver $nameserver >>/etc/resolv.conf
 +    done
-- 
  http://home.arcor.de/andreas-barth/



Reply sent to Andreas Barth <aba@not.so.argh.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andrew Steets <asteets@wayport.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 380273-close@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: 380273-close@bugs.debian.org
Subject: Bug#380273: fixed in dhcp 2.0pl5-19.5
Date: Mon, 04 Dec 2006 16:02:03 +0000
Source: dhcp
Source-Version: 2.0pl5-19.5

We believe that the bug you reported is fixed in the latest version of
dhcp, which is due to be installed in the Debian FTP archive:

dhcp-client-udeb_2.0pl5-19.5_amd64.udeb
  to pool/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5_amd64.udeb
dhcp-client_2.0pl5-19.5_amd64.deb
  to pool/main/d/dhcp/dhcp-client_2.0pl5-19.5_amd64.deb
dhcp-relay_2.0pl5-19.5_amd64.deb
  to pool/main/d/dhcp/dhcp-relay_2.0pl5-19.5_amd64.deb
dhcp_2.0pl5-19.5.diff.gz
  to pool/main/d/dhcp/dhcp_2.0pl5-19.5.diff.gz
dhcp_2.0pl5-19.5.dsc
  to pool/main/d/dhcp/dhcp_2.0pl5-19.5.dsc
dhcp_2.0pl5-19.5_amd64.deb
  to pool/main/d/dhcp/dhcp_2.0pl5-19.5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 380273@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Barth <aba@not.so.argh.org> (supplier of updated dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  4 Dec 2006 15:15:00 +0000
Source: dhcp
Binary: dhcp dhcp-client dhcp-client-udeb dhcp-relay
Architecture: source amd64
Version: 2.0pl5-19.5
Distribution: unstable
Urgency: low
Maintainer: Eloy A. Paris <peloy@debian.org>
Changed-By: Andreas Barth <aba@not.so.argh.org>
Description: 
 dhcp       - DHCP server for automatic IP address assignment
 dhcp-client - DHCP Client
 dhcp-client-udeb - DHCP Client for debian-installer (udeb)
 dhcp-relay - DHCP Relay
Closes: 322860 380273
Changes: 
 dhcp (2.0pl5-19.5) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add 117_fix_CVE-2006-3122 to fix remote DOS, CVE-2006-3122.
     Thanks to Andrew Steets for detecting and the patch. Closes: #380273
   * Update 202_script_resolvconf-support to not break resolv.conf even if
     domain_name is empty/undefined.  Closes: #322860
Files: 
 4fc6878de216c3b1582643b20067371d 673 net optional dhcp_2.0pl5-19.5.dsc
 f9960cf650f06455f075cec2d891c196 107816 net optional dhcp_2.0pl5-19.5.diff.gz
 11687932b23aac23b90df0abc6e421c2 116272 net optional dhcp_2.0pl5-19.5_amd64.deb
 424ccc154ef05cad98fbc1bfcbcbc046 108866 net optional dhcp-client_2.0pl5-19.5_amd64.deb
 4124757171094499c4af9a60e046248c 76236 net optional dhcp-relay_2.0pl5-19.5_amd64.deb
 0619527015f1fdd4bb2eb6d881159c6f 46746 debian-installer optional dhcp-client-udeb_2.0pl5-19.5_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFdEMpmdOZoew2oYURAiMwAJ9ZRjcQkNgGQQN/Q1mKv88IOL/DnQCgk/ie
DdkEubWEhTmE97AkdKCMlS4=
=vKv0
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 12:42:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:51:19 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.