Report forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris): Bug#380273; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Andrew Steets <asteets@wayport.net>:
New Bug report received and forwarded. Copy sent to peloy@debian.org (Eloy A. Paris).
(full text, mbox, link).
Subject: DHCP server exits unexpectedly on DHCPOFFER with specific
client-identifier
Date: Fri, 28 Jul 2006 15:44:42 -0500
Package: dhcp
Version: 2.0pl5-19.1
There is a bug in ISC DHCP server version 2 that causes the server to
unexpectedly exit when it receieves a DHCPOFFER packet with a
client-identifier option which is exactly 32 bytes long.
A malicious user could use this as a sort of denial of service attack on
a version 2 dhcp server. This does not appear to be a problem with the
dhcp version 3 server.
Explanation of the bug:
The DHCP server has a lease struct which contains a buffer (uid_buf)
which is 32 bytes long. If it needs more space, it simply malloc's new
storage. There is an edge condition in supersede_lease() from memory.c
that causes a 32 byte client-identifier to be mistakenly interpreted as
a corrupt uid, and so the server exits with the message "corrupt lease
uid."
To reproduce:
You can use the dhclient included in the dhcp package. Set up a "send
dhcp-client-identifier" directive to send a 32 byte client-identifier,
and then activate dhclient. The dhcp server will exit as soon as it
recieves the DHCPDISCOVER packet.
More info:
This is not a stack overflow issue. There does not seem to be any
possibility of remote compromise from this issue.
Windows clients generally do not send client-identifier options greater
than 6 bytes, but it looks like Mac OS X uses a longer string. That is
how we originally noticed the issue.
The short patch below resolves the issue.
Andrew Steets
Wayport Software Engineering
asteets@wayport.net
(512) 519-6061
*** common/memory.c 1999-05-27 12:47:43.000000000 -0500
--- ../fixed/dhcp-2.0pl5/common/memory.c 2006-07-28 14:25:32.796953968 -0500
***************
*** 528,534 ****
/* Copy the data files, but not the linkages. */
comp -> starts = lease -> starts;
if (lease -> uid) {
! if (lease -> uid_len < sizeof (lease -> uid_buf)) {
memcpy (comp -> uid_buf,
lease -> uid, lease -> uid_len);
comp -> uid = &comp -> uid_buf [0];
--- 528,534 ----
/* Copy the data files, but not the linkages. */
comp -> starts = lease -> starts;
if (lease -> uid) {
! if (lease -> uid_len <= sizeof (lease -> uid_buf)) {
memcpy (comp -> uid_buf,
lease -> uid, lease -> uid_len);
comp -> uid = &comp -> uid_buf [0];
Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris): Bug#380273; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris).
(full text, mbox, link).
Subject: Re: DHCP server exits unexpectedly on DHCPOFFER with specific client-identifier
Date: Sat, 29 Jul 2006 12:11:02 +0200
I have assigned CVE-2006-3122 to this issue.
Eloy, please let us know which version in sid fixes the problem
when you upload a package.
Andrew, is it ok when we credit you in the advisory for discovery?
Andrew Steets wrote:
> There is a bug in ISC DHCP server version 2 that causes the server to
> unexpectedly exit when it receieves a DHCPOFFER packet with a
> client-identifier option which is exactly 32 bytes long.
>
> A malicious user could use this as a sort of denial of service attack on
> a version 2 dhcp server. This does not appear to be a problem with the
> dhcp version 3 server.
>
> Explanation of the bug:
> The DHCP server has a lease struct which contains a buffer (uid_buf)
> which is 32 bytes long. If it needs more space, it simply malloc's new
> storage. There is an edge condition in supersede_lease() from memory.c
> that causes a 32 byte client-identifier to be mistakenly interpreted as
> a corrupt uid, and so the server exits with the message "corrupt lease
> uid."
Well spotted!
Thanks a lot for the research and the patch.
Regards,
Joey
--
MIME - broken solution for a broken design. -- Ralf Baechle
Please always Cc to me when replying to me on the lists.
Severity set to `grave' from `normal'
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: security
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: patch
Request was from Andreas Barth <aba@not.so.argh.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris): Bug#380273; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris).
(full text, mbox, link).
Source: dhcp
Source-Version: 2.0pl5-19.5
We believe that the bug you reported is fixed in the latest version of
dhcp, which is due to be installed in the Debian FTP archive:
dhcp-client-udeb_2.0pl5-19.5_amd64.udeb
to pool/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5_amd64.udeb
dhcp-client_2.0pl5-19.5_amd64.deb
to pool/main/d/dhcp/dhcp-client_2.0pl5-19.5_amd64.deb
dhcp-relay_2.0pl5-19.5_amd64.deb
to pool/main/d/dhcp/dhcp-relay_2.0pl5-19.5_amd64.deb
dhcp_2.0pl5-19.5.diff.gz
to pool/main/d/dhcp/dhcp_2.0pl5-19.5.diff.gz
dhcp_2.0pl5-19.5.dsc
to pool/main/d/dhcp/dhcp_2.0pl5-19.5.dsc
dhcp_2.0pl5-19.5_amd64.deb
to pool/main/d/dhcp/dhcp_2.0pl5-19.5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 380273@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Barth <aba@not.so.argh.org> (supplier of updated dhcp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 4 Dec 2006 15:15:00 +0000
Source: dhcp
Binary: dhcp dhcp-client dhcp-client-udeb dhcp-relay
Architecture: source amd64
Version: 2.0pl5-19.5
Distribution: unstable
Urgency: low
Maintainer: Eloy A. Paris <peloy@debian.org>
Changed-By: Andreas Barth <aba@not.so.argh.org>
Description:
dhcp - DHCP server for automatic IP address assignment
dhcp-client - DHCP Client
dhcp-client-udeb - DHCP Client for debian-installer (udeb)
dhcp-relay - DHCP Relay
Closes: 322860380273
Changes:
dhcp (2.0pl5-19.5) unstable; urgency=low
.
* Non-maintainer upload.
* Add 117_fix_CVE-2006-3122 to fix remote DOS, CVE-2006-3122.
Thanks to Andrew Steets for detecting and the patch. Closes: #380273
* Update 202_script_resolvconf-support to not break resolv.conf even if
domain_name is empty/undefined. Closes: #322860
Files:
4fc6878de216c3b1582643b20067371d 673 net optional dhcp_2.0pl5-19.5.dsc
f9960cf650f06455f075cec2d891c196 107816 net optional dhcp_2.0pl5-19.5.diff.gz
11687932b23aac23b90df0abc6e421c2 116272 net optional dhcp_2.0pl5-19.5_amd64.deb
424ccc154ef05cad98fbc1bfcbcbc046 108866 net optional dhcp-client_2.0pl5-19.5_amd64.deb
4124757171094499c4af9a60e046248c 76236 net optional dhcp-relay_2.0pl5-19.5_amd64.deb
0619527015f1fdd4bb2eb6d881159c6f 46746 debian-installer optional dhcp-client-udeb_2.0pl5-19.5_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFdEMpmdOZoew2oYURAiMwAJ9ZRjcQkNgGQQN/Q1mKv88IOL/DnQCgk/ie
DdkEubWEhTmE97AkdKCMlS4=
=vKv0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 12:42:25 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.