2039.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2039

--
Summary:
The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue 
dynamic IP addresses from a server to client machines. A vulnerability 
exists such that arbitrary code may be executed on the server using the 
credential of the super user (root).

--
Impact:
Execution of code and possible control of the targeted machine.

--
Detailed Information:
A format string vulnerabilty in some versions of dhcpd may lead to the 
execution of arbitrary code as the root user via a DNS server response. 
This is due to the unsafe logging of user data. The option NSUPDATE 
option in the configuration of dhcpd must be enabled, although this is a
default option in version 3.0 and later.

Two exploits for this vulnerability are known to exist.

--
Affected Systems:
ISC DHCPD 3.0
 Caldera OpenLinux Server 3.1 and 3.1.1
 Caldera OpenLinux Workstation 3.1 and 3.1.1
 Conectiva Linux 8.0
 MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0
 MandrakeSoft Multi Network Firewall 8.2
 S.u.S.E. Linux 7.2, 7.3 and 8.0
 S.u.S.E. Linux Connectivity Server
 S.u.S.E. Linux Database Server
 S.u.S.E. Linux Enterprise Server 7 and S/390

ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7
 FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5

ISC DHCPD 3.0.1 rc6
 S.u.S.E. Linux 8.0 and 8.0 i386

ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4
OpenPKG OpenPKG 1.0

ISC DHCPD 3.0.1 rc3, rc2 and rc1

--
Attack Scenarios:
The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Patches from the vendor should be applied as soon as possible.

Upgrade to ISC DHCPD 3.0.1 rc 9.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/4701

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702

--