TUCoPS :: BSD :: iscdhcp1.htm

OpenBSD ISC DHCP Client possible root exploit (also affects Linux) 
Vulnerability

    ISC DHCP

Affected

    ISC DHCP prior to 2.0pl1

Description

    Ted  Lemon  posted  following.   Somebody  at OpenBSD discovered a
    possible root  exploit in  the ISC  DHCP client.   This exploit is
    present in  all versions  of the  ISC DHCP  client prior to 2.0pl1
    and 3.0b1pl14.

    That somebody  at OpenBSD  who found  it was  Todd T.  Fries.   He
    tried following:

        shared-network LOCAL-NET {
            option  domain-name "my.`echo hi > /tmp/oops`.domain";
            option  domain-name-servers 192.168.1.3, 192.168.1.5;

            subnet 192.168.1.0 netmask 255.255.255.0 {
                    option routers 192.168.1.1;

                    range 192.168.1.32 192.168.1.127;
            }
        }

    ... and when dhclient finished running I had a nice little present
    in /tmp/ named 'oops' that contained the string 'hi' ..

    The versions  of the  ISC DHCP  client in  debian 2.1  (slink) and
    debian 2.2 (potato) are vulnerable to a root exploit.

    Conectiva Linux  does not  ship dhcp  with the  client part in the
    binary package.  It is explicitly disabled during the RPM  package
    building process.

Solution

    Anybody who is  using versions of  the ISC DHCP  client other than
    mentioned above is strongly urged to upgrade.  Please visit

        http://www.openbsd.org/errata.hml#dhclient

    for links to the patches for OpenBSD.

    The  reported  vulnerability  is  fixed  for  Debian  users in the
    package  dhcp-client-beta  2.0b1pl6-0.3  for  the  current  stable
    release  (debian  2.1)  and  in  dhcp-client  2.0-3potato1 for the
    frozen pre-release (debian 2.2).  The dhcp server and relay agents
    are  built  from  the  same  source  as  the  client; however, the
    server and relay  agents are not  vulnerable to this  issue and do
    not need to be upgraded.

    For Mandrake Linux please upgrade to:

        6.0/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
        6.0/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
        src: 6.0/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
        6.1/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
        6.1/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
        src: 6.1/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
        7.0/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
        7.0/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
        src: 7.0/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
        7.1/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
        7.1/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
        src: 7.1/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm

    For NetBSD dhclient are vulnerable all releases before 2000/07/10.
    Systems running formal releases  of NetBSD-1.4.2 and prior  may be
    vulnerable.   Systems  running  versions  of  NetBSD  prior to 1.4
    should  be  upgraded  to  NetBSD  1.4.2  before applying the fixes
    described here.  If  your system does not  and will never run  the
    "/sbin/dhclient" daemon to dynamically obtain an IP address,  your
    system is not vulnerable to this problem.  If you are running  any
    NetBSD 1.4.x release, you should download the patch listed  below,
    and  apply  it  to  src/usr.sbin/dhcp/client/options.c  using  the
    patch(1)  command.    If   you  are   running  NetBSD-current   or
    NetBSD-release, you  should update  your source  tree (with either
    sup  or  anonymous  CVS)  to  a  version  containing the fix.  The
    problem  was   corrected  on   the  NetBSD-current   mainline   on
    2000/06/24, on  the netbsd-1-4  release branch  on 2000/06/29, and
    on the netbsd-1-5 release branch on 2000/07/10.  In all cases  you
    should then rebuild and reinstall DHCP:

        % cd src/usr.sbin/dhcp
        % make all
        # make install

    You  should  then  kill  off  and  restart  any  existing dhclient
    processes.  Patch for all releases of 1.4.x:

        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-dhclient

    For SuSE Linux:

        AXP: ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/dhclient-2.0pl2-3.alpha.rpm
             ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/dhclient-2.0pl2-3.alpha.rpm

       i386: ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/dhclient-2.0pl2-3.i386.rpm
             ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/dhclient-2.0pl2-3.i386.rpm
             ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/dhclient-2.0pl2-3.i386.rpm
             ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/dhclient-2.0pl2-3.i386.rpm

        PPC: ftp://ftp.suse.com/pub/suse/ppc/update/6.3/n1/dhclient-2.0pl2-3.ppc.rpm
             ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/dhclient-2.0pl2-3.ppc.rpm

    Fro  FreeBSD  disable  the  use  of  DHCP  for  configuring client
    machines:   remove  the  case-insensitive  string  "dhcp" from the
    "ifconfig_<foo>" directives  in /etc/rc.conf  and replace  it with
    appropriate  static  interface  configuration  according  to   the
    rc.conf(5) manpage.   An example  of a  DHCP-enabled interface  is
    the following line in /etc/rc.conf:

        ifconfig_xl0="DHCP"

    Patches:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/isc-dhcp3-3.0.b1.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/isc-dhcp3-3.0.b1.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/isc-dhcp3-3.0.b1.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/isc-dhcp3-3.0.b1.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/isc-dhcp3-3.0.b1.17.tgz

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH