---BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs

Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server

*Advisory Information*

Title: Stack-based buffer overflow vulnerability in OpenBSD’s DHCP server

Advisory ID: CORE-2007-0928

Advisory URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1
962

Date published: 2007-10-10

Date of last update: 2007-10-10

Vendors contacted: OpenBSD

Release mode: Coordinated release

*Vulnerability Information*

Class: Input validation error
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 25984
CVE Name: CVE-2007-0063

*Vulnerability Description*

OpenBSD’s DHCP server, dhcpd, implements the Dynamic Host Configuration
Protocol (DHCP) [1] and the Internet Bootstrap Protocol (BOOTP) [2]. DHCP
allows hosts on a TCP/IP network to request and be assigned IP addresses,
and also to discover information about the network to which they are
attached. BOOTP provides similar functionality, with certain restrictions.

The DHCP protocol allows a host which is unknown to the network
administrator to be automatically assigned a new IP address out of a pool
of IP addresses for its network. In order for this to work, the network
administrator allocates address pools in each subnet and enters them into
the dhcpd’s configuration file. OpenBSD’s implementation of the DHCP
server is based on an early version of ISC’s dhcpd that the OpenBSD
project further developed to incorporate additional security features such
as privilege separation and the ability to synchronize provisioning of IP
addresses to clients with updates to PF firewall filtering rules to
effectively implement egress and ingress filtering based on live client IP
addresses on the network served by dhcpd.

A vulnerability found in OpenBSD’s dhcpd allows attackers on the local
network to remotely cause the DHCP server to corrupt its process memory
and crash; or continue functioning erratically thus denying service to all
DHCP clients on the network and, if PF updates are in use, potentially
affecting egress/ingress filtering as well.

Although after an initial cursory analysis the vulnerability does not seem
usable for anything other than a Denial of Service attack against the
server to terminate the dhcpd process, the possibility of using it to
execute arbitrary code on vulnerable systems was not investigated in-depth
and should not be disregarded. In general, exploitation of stack-based
buffer overflow bugs in OpenBSD for remote code execution is prevented or
at least mitigated by various security features of the operating system
but the effectiveness of such mechanisms should be analyzed on a case by
case basis taking into account the details of the specific vulnerable code
at hand. Such detailed in-depth analysis was not performed in this case.

The vulnerability was found while investigating reports of multiple
vulnerabilities in the DHCP server implementation of VMware products.
Detailed inspection revealed that VMware’s DHCP server is based on
OpenBSD’s dhcpd, which in turn led to source code inspection to identify
the vulnerability and to development of a proof of concept exploit to
confirm its existence on live systems in test lab. Since the original
security advisory [3] disclosing multiple bugs in VMware’s DHCP server did
not provide enough technical details to uniquely identify this bug among
the three bugs disclosed in the report, Core has arbitrarily picked one
CVE name to identify it.

*Vulnerable packages*

- - OpenBSD 4.0
- - OpenBSD 4.1
- - OpenBSD 4.2

*Non-vulnerable packages*
- - OpenBSD–current as of October 9th, 2007 3:17 GMT
- - The DHCP server from the Internet Software Consortium (ISC)

*Solution/Vendor Information/Workaround*

The OpenBSD team has fixed the bug in all current versions of the
vulnerable packages. The fix is committed to the source code tree and
source code patches are available from OpenBSD’s errata pages:

- - OpenBSD 4.2: http://www.openbsd.org/errata42.html
- - OpenBSD 4.1: http://www.openbsd.org/errata41.html
- - OpenBSD 4.0: http://www.openbsd.org/errata40.html
Updated builds of the vulnerable OpenBSD versions have the problem fixed.

Workaround: None

*Credits*

This vulnerability was discovered by Nahuel Riva and Gerardo Richarte from
the CORE IMPACT Exploit Writers Team (EWT).

The VMware vulnerabilities that originally triggered research and
subsequent discovery of the buffer overflow vulnerability in OpenBSD’s
dhcpd were found by Neel Mehta and Ryan Smith from IBM X-Force [3].

Since the advisory from IBM X-Force lists 3 apparently distinct bugs
(using 3 different CVE names) but provides no technical details to
uniquely identify each one of them we’ve decided to roll a dice and picked
CVE-2007-0063 as the one to identify the bug reported in this advisory.
gracias.zip.

*Technical Description / Proof of Concept Code*

DHCP is built on a client-server model, where designated DHCP server hosts
allocate network addresses and deliver configuration parameters to
dynamically configured hosts. The term "server" refers to a host providing
initialization parameters through DHCP, and the term "client" refers to a
host requesting initialization parameters from a DHCP server.

The Dynamic Host Configuration Protocol (DHCP) specification [1] indicates
the requirements that a given DHCP implementation must fulfill. In
summary, DHCP is designed to supply DHCP clients with the configuration
parameters defined in the Host Requirements RFCs. After obtaining
parameters via DHCP, a DHCP client should be able to exchange packets with
any other host in the Internet. The TCP/IP stack parameters supplied by
DHCP are listed in Appendix A of the corresponding RFC. Not all of these
parameters are required for a newly initialized client. A client and
server may negotiate for the transmission of only those parameters
required by the client or specific to a particular subnet. DHCP allows but
does not require the configuration of client parameters not directly
related to the IP protocol. DHCP also does not address registration of
newly configured clients with the Domain Name System (DNS).

The DCHP message definition includes a variable length field called
“options” which are in turn indication of an additional variable length
payload to the base DHCP message. The entire list of official DHCP
options, also known as “vendor extensions” in BOOTP terminology, is
provided in a companion RFC document to the protocol specification [3].
One such option is the “maximum DCHP message size” option (MMS). The
protocol specification indicates that “The client SHOULD include the
'maximum DHCP message size' option to let the server know how large the
server may make its DHCP messages”.

OpenBSD’s dhcpd fails to properly validate the value provided in the
“maximum message size” option by the DHCP client and thus allowing an
attacker to specify MMS values that result in a integer underflow followed
by a call to memcpy(3) with a negative third argument which in turns
overwrites arbitrary portions of process memory.

The problem is found in function responsible of processing DHCP option
received from the client: