Security-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2009-010: ISC dhclient subnet-mask flag stack overflow



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2009-010
                 =================================

Topic:          ISC dhclient subnet-mask flag stack overflow

Version:        NetBSD-current:         affected before June 24, 2009
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 isc-dhclient package prior to
                                        4.1.0p1, 4.0.1p1, or 3.1.2p1

Severity:       Arbitrary Code Execution

Fixed:          NetBSD-current:         June 24, 2009
                NetBSD-5-0 branch:      July 14, 2009 20:00 UTC
                NetBSD-5 branch:        July 14, 2009 20:00 UTC
                NetBSD-4-0 branch:      July 14, 2009 20:00 UTC
                NetBSD-4 branch:        July 14, 2009 20:00 UTC
                pkgsrc 2009Q2:          isc-dhclient-4.1.0p1, 4.0.1p1 and
                                        3.1.2p1 correct the issue


Abstract
========

A stack overflow vulnerability in ISC dhclient allows an attacker
operating a rogue DHCP server to execute arbitrary code with root
privileges on the affected system by supplying a specially crafted
subnet-mask parameter.

This vulnerability has been assigned CVE-2009-0692 and CERT
Vulnerability Note VU#410676.


Technical Details
=================

The script_write_params() function in ISC dhclient version 4.1.0 and
earlier, 4.0.1 and earlier as well as 3.1.2 and earlier fails to
properly verify the subnet-mask parameter while copying it into
the internal state.

This can be exploited to overwrite the stack frame pointer and execute
arbitrary code in the context of the dhclient process. The size of the
injected code is thereby limited to the MTU of the interface dhclient
is listening on.

For more details, please see CVE-2009-0692.


Solutions and Workarounds
=========================

As a temporary workaround, disable dhclient(8) from the base OS and
use either the fixed dhclient packages from pkgsrc, or alternatively
the program dhcpcd(8) from the base system.

The following instructions describe how to upgrade your dhclient
binaries by updating your source tree and rebuilding and
installing a new version of dhclient.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-06-24
        should be upgraded to NetBSD-current dated 2009-06-25 or later.

        The following file needs to be updated from the netbsd-current
        CVS branch (aka HEAD):
                dist/dhcp/client/dhclient.c

        To update from CVS, re-build, and re-install dhclient:
                # cd src
                # cvs update -d -P dist/dhcp/client/dhclient.c
                # cd usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd client
                # make USETOOLS=no install

* NetBSD 5.*:

        Systems running NetBSD 5.* sources dated from before
        2009-07-14 20:00 UTC should be upgraded from NetBSD 5.*
        sources dated 2009-07-14 20:00 UTC or later.

        The following file needs to be updated from the netbsd-5 or
        netbsd-5-0 branches:
                dist/dhcp/client/dhclient.c

        To update from CVS, re-build, and re-install dhclient:

                # cd src
                # cvs update -r <branch_name> -d -P dist/dhcp/client/dhclient.c
                # cd usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd client
                # make USETOOLS=no install


        Alternatively, apply the following patch (with potential offset
        differences):
                
http://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2009-010-dhclient.patch

        To patch, re-build and re-install SSH:

                # cd dist/dhcp/client
                # patch -p0 < /path/to/SA2009-010-dhclient.patch

                # cd ../../../usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd client
                # make USETOOLS=no install


* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2009-07-14 20:00 UTC should be upgraded from NetBSD 4.*
        sources dated 2009-07-14 20:00 UTC or later.

        The following file needs to be updated from the netbsd-4 or
        netbsd-4-0 branches:
                dist/dhcp/client/dhclient.c

        To update from CVS, re-build, and re-install dhclient:

                # cd src
                # cvs update -r <branch_name> -d -P dist/dhcp/client/dhclient.c
                # cd usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd client
                # make USETOOLS=no install


        Alternatively, apply the following patch (with potential offset
        differences):
                
http://ftp.NetBSD.org/pub/NetBSD/security/patches/SA2009-010-dhclient.patch

        To patch, re-build and re-install SSH:

                # cd dist/dhcp/client
                # patch -p0 < /path/to/SA2009-010-dhclient.patch

                # cd ../../../usr.sbin/dhcp
                # make USETOOLS=no cleandir dependall
                # cd client
                # make USETOOLS=no install


Thanks To
=========

The Mandriva Linux Engineering Team and for discovering and reporting
the software flaw and Christos Zoulas for providing a fix.


Revision History
================

        2009-07-14      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-010.txt,v 1.2 2009/07/14 20:40:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKXO1UAAoJEAZJc6xMSnBudBkQAJPPZ55nwsFZOp5V8tOIhuki
a+YKDE5zaa9AvIrvpzZqUIE9F9/FR92Ke7Sh5Ol7zxpnBJXwsEYIJfdKBW47Bx8y
drZ7KPvOyga8dqDE8OQWRzCWfpbzYGSIp706TlO0ONBzZLUN4JCy60kbZtAwXt83
oM50DTA9DhtIxy+MOJyStnHArZLQZYH4VTNBdQb3UmJR+/LjQIY2oxvLBwN/QKOB
mfFfyxHwgZXkY9dUXSB+wsdEtgLOToVUhDsrcNvzYYH9Dxs2unBpXdTFCy4BYcAZ
o5FiSEW5lHReDCiql5PZ+6AfiehzabmPC3rZLTD9QgjE3cPlrVA7XZsmnZnsxAF1
4O1/w8Pz4pl+X+84+JsbQCSkhMRX4zlkZ2lUtTtF9FZ73wHPih3oK1MN8ssW414c
Pms36xxKgmop/xw58/SGtlmaFD+0sUm6fSZBAlD5BDuSwqvWVUIvHXxEoAuN2Vbc
j65njdgvrpZ5VG0bX4CxE1rbxhjCJ0wwRgU3MgH36Pv6bFV3TBWqriGHIr9VmDbt
qGyQJdLlejW4cUjVhz8ZProbWhsvpoObtuAetysyhwRke6Ie/ssvon+0iLz4QikO
Nh2eaVdqQqJZRFOPGyxPoYjT1KU27+C7Xos+2D+VT/rnk/lnKcOG1ye+v0B7HNgc
eNYsWmC3rp8NPDDc6N18
=Jf/4
-----END PGP SIGNATURE-----



Home | Main Index | Thread Index | Old Index