Signature Detail

DHCP: Format String in FQDN Option

This protocol anomaly is a DHCP option (FQDN or CLIENT_FQDN) with a format string in it. Attackers can gain a shell with the DHCP server user permissions usually root).

Extended Description

The ISC DHCPD (Dynamic Host Configuration Protocol) is a collection of software implementing the DHCP protocol. It is available for a range of operating systems, including BSD and Solaris. A remote format string vulnerability has been reported in multiple versions of the DHCPD server. User supplied data is logged in an unsafe fashion. Exploitation of this vulnerability may result in arbitrary code being executed by the DHCP server, which generally runs as the root user. This vulnerability is dependant on the NSUPDATE configuration option being enabled. NSUPDATE is enabled by default in versions 3.0 and later of the DHCPD server.

Affected Products

• ISC DHCPD 2.0.pl5
• ISC DHCPD 3.0.0
• ISC DHCPD 3.0.1 Rc1
• ISC DHCPD 3.0.1 Rc2
• ISC DHCPD 3.0.1 Rc3
• ISC DHCPD 3.0.1 Rc4
• ISC DHCPD 3.0.1 Rc5
• ISC DHCPD 3.0.1 Rc6
• ISC DHCPD 3.0.1 Rc7
• ISC DHCPD 3.0.1 Rc8

References

• BugTraq: 4701
• CVE: CVE-2002-0702
• URL: http://www.isc.org/index.pl?/sw/dhcp/dhcp_rel.php