CVE-2009-0692
published 2009-07-14CVE-2009-0692: Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
25.78%
97.7th percentile
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
| isc | dhcp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
GID 3, SID 15700
bytes↗
Malicious subnet mask DHCP option: \x01 <len> <oversized payload>
bytes↗
DHCP ACK option bytes: \x35\x01\x05 (msg type ACK) followed by oversized option 1 (subnet mask)
- →Detect oversized DHCP subnet-mask option (option code 0x01) in a DHCP ACK (option 53 = 0x05) packet on UDP port 67/68. A legitimate subnet mask is exactly 4 bytes; any DHCP ACK carrying option 1 with length > 4 is malicious. ↗
- →The exploit fixes up the stack by writing readable addresses into es.client and es.prefix fields during the overflow, then overwrites the saved return address (RET). Inspect DHCP subnet-mask option payloads for embedded pointer-like 4-byte aligned values followed by a 4-byte value of \x04\x00\x00\x00 at a fixed offset. ↗
- →Attack is local-network only (rogue DHCP server on same segment). High-risk environments include shared WiFi (hotels, conferences, airports). Enforce DHCP snooping on managed switches to block unauthorized DHCP servers. ↗
- ·Ubuntu 8.10 and higher had the patch improperly applied but default compiler options (stack protector) reduced the vulnerability to denial-of-service only rather than code execution. ↗
- ·Ubuntu 9.04 and higher provided additional mitigation via the AppArmor dhclient3 profile, isolating attackers even if exploitation was attempted. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dhcp vulnerability
vendor_ubuntu·2010-01-27
CVE-2009-0692 Dhcp vulnerability
Title: Dhcp vulnerability
Summary: Dhcp vulnerability
USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to
fix the vulnerability was not properly applied on Ubuntu 8.10 and higher.
Even with the patch improperly applied, the default compiler options
reduced the vulnerability to a denial of service. Additionally, in Ubuntu
9.04 and higher, users were also protected by the AppArmor dhclient3
profile. This update fixes the problem.
Original advisory details:
It was discovered that the DHCP client as included in dhcp3 did not verify
the length of certain option fields when processing a response from an IPv4
dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a
malicious dhcp server, a remote attacker could cause a denial of service or
execute arbitrary
Red Hat
dhclient: stack overflow leads to arbitrary code execution as root
vendor_redhat·2009-07-14·CVSS 10.0
CVE-2009-0692 [CRITICAL] CWE-130 dhclient: stack overflow leads to arbitrary code execution as root
dhclient: stack overflow leads to arbitrary code execution as root
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
Statement: This issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4.
This issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination.
Ubuntu
dhcp vulnerability
vendor_ubuntu·2009-07-14
CVE-2009-0692 dhcp vulnerability
Title: dhcp vulnerability
Summary: dhcp vulnerability
It was discovered that the DHCP client as included in dhcp3 did not verify
the length of certain option fields when processing a response from an IPv4
dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a
malicious dhcp server, a remote attacker could cause a denial of service or
execute arbitrary code as the user invoking the program, typically the
'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker
should only be able to cause a denial of service in the DHCP client. In
Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3
profile.
Instructions: After a standard system upgrade you need to restart any DHCP network
connections utilizing dhclient3 to effect the necessary changes.
GHSA
GHSA-cjw8-pp44-m8v2: Stack-based buffer overflow in the script_write_params method in client/dhclient
ghsa_unreviewed·2022-05-02
CVE-2009-0692 [HIGH] CWE-119 GHSA-cjw8-pp44-m8v2: Stack-based buffer overflow in the script_write_params method in client/dhclient
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
No detection rules found.
Talos
Don’t read this post
blogs_talos·2009-07-22·CVSS 10.0
[CRITICAL] Don’t read this post
## Don’t read this post
So Lurene is mad at me, me being Matt W. The reason for this is the following conversation.
Me: Hey you guys see the US-CERT notice on ISC dhclient overflow? Lurene: Yup, working on coverage right now for release today. Lurene: You do know this vuln is awesome right? Me: How so? Lurene: Well its in every major linux/bsd/etc distro, and those guys patch process and auto-update tools suck. Everyone will be vulnerable for a long time. Me: Ok, but its local network only. (Me checks my Ubuntu box for an update, not there yet, ...) (Me also checks my mac real quick, sweet doesn't run dhclient) Lurene: Yeah, like hotel network, or conferences...... Me: Oh I get it, you want play with your toys at Defcon Lurene: Your words not mine, but my exploits already works..... and
Talos
Don’t read this post
blogs_talos·2009-07-22·CVSS 10.0
[CRITICAL] Don’t read this post
So Lurene is mad at me, me being Matt W. The reason for this is the following conversation.
Me: Hey you guys see the US-CERT notice on ISC dhclient overflow?
Lurene: Yup, working on coverage right now for release today.
Lurene: You do know this vuln is awesome right?
Me: How so?
Lurene: Well its in every major linux/bsd/etc distro, and those guys patch process and auto-update tools suck. Everyone will be vulnerable for a long time.
Me: Ok, but its local network only. (Me checks my Ubuntu box for an update, not there yet, ...) (Me also checks my mac real quick, sweet doesn't run dhclient)
Lurene: Yeah, like hotel network, or conferences......
Me: Oh I get it, you want play with your toys at Defcon
Lurene: Your words not mine, but my exploits already works..... and with all the Windows Vuln
Talos
Rule release for today - July 16th 2009
blogs_talos·2009-07-16·CVSS 10.0
CVE-2009-0692 [CRITICAL] Rule release for today - July 16th 2009
## Rule release for today - July 16th 2009
For those of you following our twitter feed, you now know why we were laughing last night...
ISC DHCLIENT Buffer Overflow (CVE-2009-0692): The ISC DHCLIENT daemon suffers from a programming error that may allow a remote attacker to capitalize on a stack overflow and execute code on an affected machine.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15700.
Advisory is here: http://www.snort.org/vrt/advisories/2009/07/16/vrt-rules-2009-07-16.html
Talos
Rule release for today - July 16th 2009
blogs_talos·2009-07-16·CVSS 10.0
CVE-2009-0692 [CRITICAL] Rule release for today - July 16th 2009
For those of you following our twitter feed, you now know why we were laughing last night...
ISC DHCLIENT Buffer Overflow (CVE-2009-0692):
The ISC DHCLIENT daemon suffers from a programming error that may allow a remote attacker to capitalize on a stack overflow and execute code on an affected machine.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15700.
Advisory is here: http://www.snort.org/vrt/advisories/2009/07/16/vrt-rules-2009-07-16.html
Bugzilla
CVE-2009-1892 dhcp: DoS/abort in some configs with client-identifier and hardware address host specifications
bugzilla·2009-07-15·CVSS 10.0
CVE-2009-1892 [CRITICAL] CVE-2009-1892 dhcp: DoS/abort in some configs with client-identifier and hardware address host specifications
CVE-2009-1892 dhcp: DoS/abort in some configs with client-identifier and hardware address host specifications
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in all affected branches.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #509845: CVE-2009-1892 dhcp: DoS/abort in some configs with client-identifier and hardware address host specifications
When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available and only close this bug once all affected Fedora versions are fixed.
Bo
Bugzilla
CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root
bugzilla·2009-06-23·CVSS 10.0
CVE-2009-0692 [CRITICAL] CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root
CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root
Description from ISC's advisory:
Description:
ISC dhclient has a stack overflow vulnerability which makes it
theoretically possible for a rogue DHCP server to execute arbitrary
commands as root on the affected system through stack return
subversion.
Impact:
While generating a subnet number from the server-supplied leased address
and subnet-mask 'dhclient' copies the information into a field without
verifying if the length of the information exceeds the length of the field.
Theoretically this allows a rogue DHCP server to execute arbitrary
commands as root on the affected system through stack return subversion.
This attack has little to no risk for a client situated on a network
that is well defended, wh
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-010.txt.aschttp://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00003.htmlhttp://secunia.com/advisories/35785http://secunia.com/advisories/35829http://secunia.com/advisories/35830http://secunia.com/advisories/35831http://secunia.com/advisories/35832http://secunia.com/advisories/35841http://secunia.com/advisories/35849http://secunia.com/advisories/35850http://secunia.com/advisories/35851http://secunia.com/advisories/35880http://secunia.com/advisories/36457http://secunia.com/advisories/37342http://secunia.com/advisories/40551http://security.gentoo.org/glsa/glsa-200907-12.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.561471http://www.debian.org/security/2009/dsa-1833http://www.kb.cert.org/vuls/id/410676http://www.mandriva.com/security/advisories?name=MDVSA-2009:151http://www.osvdb.org/55819http://www.redhat.com/support/errata/RHSA-2009-1136.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1154.htmlhttp://www.securityfocus.com/bid/35668http://www.securitytracker.com/id?1022548http://www.ubuntu.com/usn/usn-803-1http://www.vupen.com/english/advisories/2009/1891http://www.vupen.com/english/advisories/2010/1796https://bugzilla.redhat.com/show_bug.cgi?id=507717https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10758https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5941https://www.isc.org/downloadables/12https://www.isc.org/node/468https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01177.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg00340.htmlhttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-010.txt.aschttp://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00003.htmlhttp://secunia.com/advisories/35785http://secunia.com/advisories/35829http://secunia.com/advisories/35830http://secunia.com/advisories/35831http://secunia.com/advisories/35832http://secunia.com/advisories/35841http://secunia.com/advisories/35849http://secunia.com/advisories/35850http://secunia.com/advisories/35851http://secunia.com/advisories/35880http://secunia.com/advisories/36457http://secunia.com/advisories/37342http://secunia.com/advisories/40551http://security.gentoo.org/glsa/glsa-200907-12.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.561471http://www.debian.org/security/2009/dsa-1833http://www.kb.cert.org/vuls/id/410676http://www.mandriva.com/security/advisories?name=MDVSA-2009:151http://www.osvdb.org/55819http://www.redhat.com/support/errata/RHSA-2009-1136.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1154.htmlhttp://www.securityfocus.com/bid/35668http://www.securitytracker.com/id?1022548http://www.ubuntu.com/usn/usn-803-1http://www.vupen.com/english/advisories/2009/1891http://www.vupen.com/english/advisories/2010/1796https://bugzilla.redhat.com/show_bug.cgi?id=507717https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10758https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5941https://www.isc.org/downloadables/12https://www.isc.org/node/468https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01177.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg00340.html
2009-07-14
Published