Signature Detail

DHCP: Sun Solaris DHCP Client Command Execution

This signature detects the transmission of a maliciously crafted DHCP server response. By supplying a shell command in the "Domain Name" option (Option 15), a malicious server could cause arbitrary commands to be executed on the client.

Extended Description

The DHCP client script '/lib/svc/method/net-svc' in Sun Solaris 10 contains an unspecified flaw that allows remote attackers to execute arbitrary code with superuser privileges. The exact cause of this vulnerability is unknown at this time. Attackers with the ability to respond to DHCP requests from vulnerable computers could exploit this vulnerability to execute arbitrary machine code with superuser privileges. The DHCP protocol utilizes UDP packets, allowing attackers to spoof addresses. This allows them to impersonate legitimate DHCP servers and to hide the true origin of attacks.

Affected Products

• Sun Solaris 10 Sparc
• Sun Solaris 10 X86

References

• BugTraq: 14687
• CVE: CVE-2005-2870
• URL: http://www.frsirt.com/english/advisories/2005/1515
• URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101897-1