DHCP server can take over client
Specially crafted DHCP servers can take control of a PC if the PC is running the DHCP client supplied by the Internet Systems Consortium (ISC) (dhclient). This is the default set-up in Ubuntu, BSD and many other Linux distributions. According to an ISC advisory, the vulnerability is based on a buffer overflow that allows attackers to inject arbitrary code into a system and execute it at root level. The buffer overflow can be triggered in the
script_write_params method using excessively long server-supplied subnet masks.
The client-server bundles DHCP 4.1, DHCP 4.0, DHCP 3.1, DHCP 3.0 and DHCP 2.0 are all affected. The vendor has provided update versions 4.1.0p1, 4.0.1p1 and 3.1.2p1 to close the hole. Updated packages are already being distributed by the Linux distributors. Reportedly, no patches are available for DHCP 3.0 and DHCP 2.0, as the ISC no longer supports these versions.
The ISC considers successful attacks in closed networks unlikely. Although an attacker would have to run a dedicated DHCP server in the network most administrators will have noticed unauthorised DHCP servers in their networks before. These are usually inadvertent connections so the presence of a new DHCP server might not raise an immediate alarm. Mobile users are more vulnerable to attacks via specially crafted DHCP servers, for example in public Wi-Fi networks or uncontrolled LANs like large LAN parties.
According to Marcus Meissner from SUSE, the vulnerability doesn't affect Red Hat and SUSE because their source code includes the FORTIFY_SOURCE feature. With it, the GNU Compiler Collection (GCC) knows how large the buffer is, including the maximum size. The glibc gets the buffer size information and uses a version of
strcpy() that checks and makes sure that no more than 20 bytes are copied. If the buffer is greater, then the program is aborted.
- DHCP Stack Overflow in 'dhclient' script_write_params(), an advisory from ISC.
- ISC DHCP dhclient stack buffer overflow, an advisory from US-CERT.
- Evolving DNS malware, a report from The H.