Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

     ESB-2004.0428 -- US-CERT Technical Cyber Security Alert TA04-174A
                  Multiple Vulnerabilities in ISC DHCP 3
                               23 June 2004


        AusCERT Security Bulletin Summary

Product:                ISC DHCP
Publisher:              US-CERT
Operating System:       BSD variants
                        Linux variants
                        UNIX variants
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

               Technical Cyber Security Alert TA04-174A
                Multiple Vulnerabilities in ISC DHCP 3

   Original release date: June 22, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * ISC DHCP versions 3.0.1rc12 and 3.0.1rc13


   Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a
   denial of the DHCP service on a vulnerable system. It may be possible
   to exploit these vulnerabilities to execute arbitrary code on the

I. Description

   As described in RFC 2131, "the Dynamic Host Configuration Protocol
   (DHCP) provides a framework for passing configuration information to
   hosts on a TCP/IP network." The Internet Systems Consortium's (ISC)
   Dynamic Host Configuration Protocol (DHCP) 3 application contains two
   vulnerabilities that present several potential buffer overflow

   VU#317350 discusses a buffer overflow vulnerability in the temporary
   storage of log lines. In transactions, ISC DHCPD logs every DHCP
   packet along with several pieces of descriptive information. The
   client's DISCOVER and the resulting OFFER, REQUEST, ACK, and NAKs are
   all logged. In all of these messages, if the client supplied a
   hostname, then it is also included in the logged line. As part of the
   DHCP datagram format, a client may specify multiple hostname options,
   up to 255 bytes per option. These options are concatenated by the
   server. If the hostname and options contain only ASCII characters,
   then the string will pass non-ASCII character filters and be
   temporarily stored in 1024 byte fixed-length buffers on the stack. If
   a client supplies enough hostname options, it is possible to overflow
   the fixed-length buffer.

   VU#654390 discusses C include files for systems that do not support
   the bounds checking vsnprintf() function. These files define the
   bounds checking vsnprintf() to the non-bounds checking vsprintf()
   function. Since vsprintf() is a function that does not check bounds,
   the size is discarded, creating the potential for a buffer overflow
   when client data is supplied. Note that the vsnprintf() statements are
   defined after the vulnerable code that is discussed in VU#317350.
   Since the preconditions for this vulnerability are similar to those
   required to exploit VU#317350, these buffer overflow conditions occur
   sequentially in the code after the buffer overflow vulnerability
   discussed in VU#317350, and these issues were discovered and resolved
   at the same time, there is no known exploit path to exploit these
   buffer overflow conditions caused by VU#654390. Note that VU#654390
   was discovered and exploitable once VU#317350 was resolved.

   For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP
   3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for
   all operating systems and configurations. VU#654390 is only defined
   for the following operating systems:

     * AIX
     * AlphaOS
     * Cygwin32
     * HP-UX
     * Irix
     * Linux
     * NextStep
     * SCO
     * SunOS 4
     * SunOS 5.5
     * Ultrix

   All versions of ISC DCHP 3, including all snapshots, betas, and
   release candidates, contain the flawed code. However, versions other
   than ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 discard all but the
   last hostname option provided by the client, so it is not believed
   that these versions are exploitable.

   US-CERT is tracking these issues as VU#317350, which has been assigned
   CVE CAN-2004-0460, and VU#654390, which has been assigned CVE

II. Impact

   Exploitation of these vulnerabilities may cause a denial-of-service
   condition to the DHCP daemon (DHCPD) and may permit a remote attacker
   to execute arbitrary code on the system with the privileges of the
   DHCPD process, typically root.

III. Solution

   Apply patches or upgrade

   These issues have been resolved in ISC DHCP 3.0.1rc14. Your vendor may
   provide specific patches or updates. For vendor-specific information,
   please see your vendor's site, or look for your vendor infomation in
   VU#317350 and VU#654390. As vendors report new information to US-CERT,
   we will update the vulnerability notes.

Appendix B. References

     * http://www.isc.org/sw/dhcp/
     * http://www.kb.cert.org/vuls/id/317350
     * http://www.kb.cert.org/vuls/id/654390

   US-CERT thanks Gregory Duchemin and Solar Designer for discovering,
   reporting, and resolving this vulnerability. Thanks also to David
   Hankins of ISC for notifying us of this vulnerability and the
   technical information provided to create this document.

   Feedback can be directed to the author: Jason A. Rafail

   The latest version of this document can be found at:
   Copyright 2004 Carnegie Mellon University.
   Terms of use:

   Revision History

   June 22, 2004: Initial release

Version: GnuPG v1.2.1 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967