OpenBSD DHCPD服务程序远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113892 漏洞类型 缓冲区溢出
发布时间 2007-11-02 更新时间 2009-03-04
CVE编号 CVE-2007-5365 CNNVD-ID CNNVD-200710-201
漏洞平台 Multiple CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/4601
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200710-201
|漏洞详情
OpenBSD是一款开放源代码Unix类操作系统。OpenBSD系统的DHCP协议实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。OpenBSD的options.c文件中的cons_options()函数没有正确地处理DHCP请求。如果远程攻击者所发送的DHCP请求中指定最大消息大小小于最小IPMTU(278)的话,就会在OpenBSD中导致dhcpd(8)覆盖栈缓冲区,执行任意指令。漏洞存在于负责处理从客户端所接收到的DHCP选项的函数中。在src/usr.sbin/dhcpd/options.c文件中:intcons_options(structpacket*inpacket,structdhcp_packet*outpacket,intmms,structtree_cache**options,intoverload,/*Overloadflagsthatmaybeset.*/intterminate,intbootpp,u_int8_t*prl,intprl_len){unsignedcharpriority_list[300];intpriority_len;unsignedcharbuffer[4096];/*Reallybigbuffer...*/intmain_buffer_size;intmainbufix,bufix;intoption_size;intlength;dhcp.h中定义了DHCP_FIXED_LEN:if(!mms&&inpacket&&inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data&&(inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len>=sizeof(u_int16_t)))mms=getUShort(inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data);if(mms)main_buffer_size=mms-DHCP_FIXED_LEN;elseif(bootpp)main_buffer_size=64;elsemain_buffer_size=576-DHCP_FIXED_LEN;if(main_buffer_size>sizeof(buffer))main_buf
|漏洞EXP
Ubuntu 6.06 DHCPd bug Remote Denial of Service Exploit
Author: RoMaNSoFt <roman@rs-labs.com>

Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/4601.tgz (1022007-DoS-CVE-2007-5365.tgz)

# milw0rm.com [2007-11-02]
|参考资料

来源:BID
名称:25984
链接:http://www.securityfocus.com/bid/25984
来源:OPENBSD
名称:[4.2]20071008001:SECURITYFIX:October8,2007
链接:http://www.openbsd.org/errata42.html#001_dhcpd
来源:OPENBSD
名称:[4.1]20071008010:SECURITYFIX:October8,2007
链接:http://www.openbsd.org/errata41.html#010_dhcpd
来源:OPENBSD
名称:[4.0]20071008016:SECURITYFIX:October8,2007
链接:http://www.openbsd.org/errata40.html#016_dhcpd
来源:www.openbsd.org
链接:http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c
来源:XF
名称:openbsd-dhcp-bo(37045)
链接:http://xforce.iss.net/xforce/xfdb/37045
来源:UBUNTU
名称:USN-531-2
链接:http://www.ubuntu.com/usn/usn-531-2
来源:UBUNTU
名称:USN-531-1
链接:http://www.ubuntu.com/usn/usn-531-1
来源:SECTRACK
名称:1018794
链接:http://www.securitytracker.com/id?1018794
来源:BID
名称:32213
链接:http://www.securityfocus.com/bid/32213
来源:BUGTRAQ
名称:20071102DoSExploitforDHCPdbug(BugtraqID25984;CVE-2007-5365)
链接:http://www.securityfocus.com/archive/1/archive/1/483230/100/100/threaded
来源:BUGTRAQ
名称:20071011CORE-2007-0928:Stack-basedbufferov