cbcvebase.
CVE-2009-0692
published 2009-07-14

CVE-2009-0692: Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
25.78%
97.7th percentile
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.

Affected

5 ranges
VendorProductVersion rangeFixed in
iscdhcp
iscdhcp
iscdhcp
iscdhcp
iscdhcp

Detection & IOCsextracted from sources · hover to see the quote

portUDP src port 68, dst port 67
commandBPF_FILTER: ip and udp and src port 68 and dst port 67
snort
GID 3, SID 15700
bytes
Malicious subnet mask DHCP option: \x01 <len> <oversized payload>
bytes
DHCP ACK option bytes: \x35\x01\x05 (msg type ACK) followed by oversized option 1 (subnet mask)
  • Detect oversized DHCP subnet-mask option (option code 0x01) in a DHCP ACK (option 53 = 0x05) packet on UDP port 67/68. A legitimate subnet mask is exactly 4 bytes; any DHCP ACK carrying option 1 with length > 4 is malicious.
  • The exploit fixes up the stack by writing readable addresses into es.client and es.prefix fields during the overflow, then overwrites the saved return address (RET). Inspect DHCP subnet-mask option payloads for embedded pointer-like 4-byte aligned values followed by a 4-byte value of \x04\x00\x00\x00 at a fixed offset.
  • Attack is local-network only (rogue DHCP server on same segment). High-risk environments include shared WiFi (hotels, conferences, airports). Enforce DHCP snooping on managed switches to block unauthorized DHCP servers.
  • ·Ubuntu 8.10 and higher had the patch improperly applied but default compiler options (stack protector) reduced the vulnerability to denial-of-service only rather than code execution.
  • ·Ubuntu 9.04 and higher provided additional mitigation via the AppArmor dhclient3 profile, isolating attackers even if exploitation was attempted.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.