Цитата:
In src/usr.sbin/dhcpd/options.c
int
cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
int mms, struct tree_cache **options,
int overload, /* Overload flags that may be set. */
int terminate, int bootpp, u_int8_t *prl, int prl_len)
{
unsigned char priority_list[300];
int priority_len;
unsigned char buffer[4096]; /* Really big buffer... */
int main_buffer_size;
int mainbufix, bufix;
int option_size;
int length;
DHCP_FIXED_LEN is defined in dhcp.h
if (!mms &&
inpacket &&
inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data &&
(inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >=
sizeof(u_int16_t)))
mms = getUShort(
inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data);
if (mms)
main_buffer_size = mms - DHCP_FIXED_LEN;
else if (bootpp)
main_buffer_size = 64;
else
main_buffer_size = 576 - DHCP_FIXED_LEN;
if (main_buffer_size > sizeof(buffer))
main_buffer_size = sizeof(buffer);
main_buffer_size is signed and controlled by the attacker. As long as
main_buffer_size is a small positive integer (<= 4096) execution flow will
continue normally…
/* Copy the options into the big buffer... */
option_size = store_options(
buffer,
(main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0)+
((overload & 2) ? DHCP_SNAME_LEN : 0)),
options, priority_list, priority_len, main_buffer_size,
(main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)),
terminate);
/* Put the cookie up front... */
memcpy(outpacket->options, DHCP_OPTIONS_COOKIE, 4);
mainbufix = 4;
Here, a small positive value of main_buffer_size (<= 7) will make
store_options exit quickly and execution flow continues. Specifically, if
the Maximum Segment Size value (mms) in the client packet satisfies the
condition (DHCP_FIXED_LEN < mms < DHCP_FIXED_LEN+4) then main_buffer_size
will be positive but less than 4.
if (option_size <= main_buffer_size - mainbufix) {
memcpy(&outpacket->options[mainbufix],
buffer, option_size);
mainbufix += option_size;
if (mainbufix < main_buffer_size)
outpacket->options[mainbufix++] = DHO_END;
length = DHCP_FIXED_NON_UDP + mainbufix;
} else {
outpacket->options[mainbufix++] = DHO_DHCP_OPTION_OVERLOAD;
outpacket->options[mainbufix++] = 1;
if (option_size >
main_buffer_size - mainbufix + DHCP_FILE_LEN)
outpacket->options[mainbufix++] = 3;
else
outpacket->options[mainbufix++] = 1;
memcpy(&outpacket->options[mainbufix],
buffer, main_buffer_size - mainbufix);
Triggering a memcpy(3) call with a negative third argument that results in
large portions of the process memory been overwritten.
*Report Timeline*
2007-10-03: Initial notification sent by CoreLabs to OpenBSD
2007-10-04: Notification acknowledged by OpenBSD
2007-10-04: Technical details provided to OpenBSD
2007-10-05: Patch with a proposed fix from OpenBSD provided for
comments/confirmation
2007-10-05: Confirmation from CoreLabs that the patch fixed the problem.
2007-10-09: Email from OpenBSD indicating that the fix has been committed
to the OpenBSD source tree and announced as a security fix in OpenBSD’s
errata page.
2007-10-10: Publication of CoreLabs advisory CORE-2007-0928
*Additional Information/ Resources*
[1] Dynamic Host Configuration Protocol (DHCP)
- - Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Bucknell
University, March 1997.
- - Alexander, S., and R. Droms, "DHCP Options and BOOTP Vendor Extensions",
RFC 1533, Lachman Technology, Inc., Bucknell University, October 1993.
- - Droms, D., "Interoperation between DHCP and BOOTP", RFC 1534, Bucknell
University, October 1993.
[2] Bootstrap Protocol (BOOTP)
- - Croft, B., and J. Gilmore, "Bootstrap Protocol (BOOTP)", RFC
951,Stanford and SUN Microsystems, September 1985.
- - Wimer, W., "Clarifications and Extensions for the Bootstrap Protocol",
RFC 1542, Carnegie Mellon University, October 1993.
[3] VMWare DHCP Server Remote Code Execution Vulnerabilities:
- - Neel Mehta and Ryan Smith of IBM X-Force,
http://www.iss.net/threats/275.html
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network, endpoint
and end-user vulnerabilities and identifies what resources are exposed. It
enables organizations to determine if current security investments are
detecting and preventing attacks. Core augments its leading technology
solution with world-class security consulting services, including
penetration testing and software security auditing. Based in Boston, MA
and Buenos Aires, Argentina, Core Security Technologies can be reached at
617-399-6980 or on the Web at
http://www.coresecurity.com.
*DISCLAIMER*
The contents of this advisory are copyright (c) 2007 CORE Security
Technologies and (c) 2007 CoreLabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.
*PGP/GPG KEYS*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
|
оригинал текста: http://securityvulns.ru/Sdocument181.html
если окажется лишним удалите. |
