漏洞起因
输入验证错误
危险等级
中
影响系统
ISC DHCPD 4.1.1
ISC DHCPD 3.1.1
ISC DHCPD 3.0.4
ISC DHCPD 3.0.1 rc9
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ OpenPKG OpenPKG 1.1
+ S.u.S.E. Linux 8.1
ISC DHCPD 3.0.1 rc8
ISC DHCPD 3.0.1 rc7
– FreeBSD FreeBSD 4.5
– FreeBSD FreeBSD 4.4
– FreeBSD FreeBSD 4.3
– FreeBSD FreeBSD 4.2
– FreeBSD FreeBSD 4.1.1
ISC DHCPD 3.0.1 rc6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
ISC DHCPD 3.0.1 rc5
ISC DHCPD 3.0.1 rc4
+ OpenPKG OpenPKG 1.0
ISC DHCPD 3.0.1 rc3
ISC DHCPD 3.0.1 rc2
ISC DHCPD 3.0.1 rc14
ISC DHCPD 3.0.1 rc13
ISC DHCPD 3.0.1 rc12
ISC DHCPD 3.0.1 rc11
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0.1 rc10
+ OpenPKG OpenPKG Current
ISC DHCPD 3.0.1 rc1
ISC DHCPD 3.0 rc4
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
ISC DHCPD 3.0 rc12
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
ISC DHCPD 3.0 pl2
ISC DHCPD 3.0 pl1
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Slackware Linux 8.1
ISC DHCPD 3.0 b2pl9
+ MandrakeSoft Linux Mandrake 7.2
ISC DHCPD 3.0 b2pl23
+ MandrakeSoft Single Network Firewall 7.2
ISC DHCPD 3.0
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ MandrakeSoft Linux Mandrake 9.0
+ MandrakeSoft Linux Mandrake 8.2 ppc
+ MandrakeSoft Linux Mandrake 8.2
+ MandrakeSoft Linux Mandrake 8.1 ia64
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Multi Network Firewall 2.0
– S.u.S.E. Linux 8.0
– S.u.S.E. Linux 7.3
– S.u.S.E. Linux 7.2
– S.u.S.E. Linux Connectivity Server
– S.u.S.E. Linux Database Server 0
– S.u.S.E. Linux Enterprise Server for S/390
– S.u.S.E. SuSE eMail Server III
– S.u.S.E. SUSE Linux Enterprise Server 7
ISC DHCPD 4.1.1-P1
ISC DHCPD 4.1
ISC DHCPD 4.0.2-P1
ISC DHCPD 4.0.1p1
ISC DHCPD 4.0
ISC DHCPD 3.0.5b1
ISC DHCPD 3.0.2rc1
ISC DHCP Client 3.0 b1pl17
ISC DHCP Client 3.0 b1pl14
ISC DHCP Client 3.0 b1
ISC DHCP Client 4.1.1-P1
ISC DHCP Client 4.1.0p1
ISC DHCP Client 4.1
ISC DHCP Client 4.0.2-P1
ISC DHCP Client 4.0.1p1
ISC DHCP Client 4.0
ISC DHCP Client 3.1.2p1
ISC DHCP Client 3.0
不受影响系统
ISC DHCPD 4.2.1-P1
ISC DHCPD 4.1-ESV-R2
ISC DHCPD 3.1-ESV-R1
ISC DHCP Client 4.2.1-P1
ISC DHCP Client 4.1-ESV-R2
ISC DHCP Client 3.1-ESV-R1
危害
远程攻击者可以利用漏洞以应用程序上下文执行任意代码。
攻击所需条件
攻击者必须构建恶意DHCP服务器,发送恶意响应给ISC dhclient。
漏洞信息
ISC DHCP是一款开源的DHCP服务实现。
ISC dhclient没有剔除或转义来自DHCP服务器应答中的shell元字符(如主机名)就把数据传递给dhclient-script,根据脚本和操作系统,可能导致在客户端上执行任意代码。
测试方法
厂商解决方案
在SUSE系统上,可在/etc/sysconfig/network/dhcp文件中设置DHCLIENT_SET_HOSTNAME="no"来禁用主机名更新。其他系统可在set_hostname()函数开始处增加如下行:
new_host_name=${new_host_name//[^a-zA-Z0-9]/}
ISC DHCPD 4.2.1-P1,4.1-ESV-R2和3.1-ESV-R1已经修复此漏洞,建议用户下载使用:
https://www.isc.org/downloads/all
漏洞提供者
Sebastian Krahmer and Marius Tomaschewski from the SUSE Security Team
漏洞消息链接
https://www.isc.org/software/dhcp/advisories/cve-2011-0997
http://www.kb.cert.org/vuls/id/107886
0 条评论。