COMMAND

	ISC DHCPDv3 remote root compromise

SYSTEMS AFFECTED

	ISC DHCPD version 3.0.1rc8 and older

PROBLEM

	In Fermín J. Serna [fjserna@ngsec.com] of  NGSEC  [http://www.ngsec.com]
	advisory [NGSEC-2002-2] :
	

	ISC DHCPD (in its verion 3) is compiled by  default  with  NSUPDATE.  If
	ISC DHCPD is configured  to  make  a  dns-update  when  a  dhcp  request
	arrives, it will  send  a  dns-update  request  to  the  configured  DNS
	server. When the DNS server sends the response the ISC DHCPD parses  the
	packet and logs the result of the dns-update request  in  the  following
	way:
	

	

	        if (errorp)

	                log_error (obuf);

	        else

	                log_info (obuf);

	

	

	This code lacks of format string.  Since  \"obuf\"  contains  some  user
	supplied data such as client hostname, an attacker  can  query  the  ISC
	DHCP server with a hostname field  containing  a  malign  format  string
	(%n).
	

	This vulnerability can be exploited on local lans, lans with DHCP  relay
	servers or acting as a fake DHCP relay server.

SOLUTION

	You can upgrade to a newer version or apply the following patch:
	

	- --- common/print.c      Tue Apr  9 13:41:17 2002

	+++ common/print.c.patched      Tue Apr  9 13:41:56 2002

	@@ -1366,8 +1366,8 @@

	                *s++ = \'.\';

	        *s++ = 0;

	        if (errorp)

	- -               log_error (obuf);

	+               log_error (\"%s\",obuf);

	        else

	- -               log_info (obuf);

	+               log_info (\"%s\",obuf);

	 }

	 #endif /* NSUPDATE */