<< Previous Next >>
DHCP server
ifupdown 0.6.8ubuntu29.2
Ubuntu 10.10:
ifupdown 0.6.10ubuntu3.1
After a standard system update you need to restart your DHCP network
interfaces to make all the necessary changes.
Details follow:
Under certain circumstances, the DHCP client could start before its
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02436045
Version: 1
HPSBGN02561 SSRT100194 rev.1 - HP ProCurve 2610 Switches running DHCP, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-08-04
Last Updated: 2010-08-04
===========================================================
Ubuntu Security Notice USN-1108-1 April 11, 2011
dhcp3 vulnerability
CVE-2011-0997
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Description
===========
Multiple vulnerabilities have been discovered in several VMware
products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that
the DHCP server contains an integer overflow vulnerability
(CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and
another error when handling malformed packets (CVE-2007-0061), leading
to stack-based buffer overflows or stack corruption. Rafal Wojtczvk
(McAfee) discovered two unspecified errors that allow authenticated
users with administrative or login privileges on a guest operating
CVE Name: CVE-2009-2957, CVE-2009-2958
3. *Vulnerability Description*
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
has been found that may allow an attacker to execute arbitrary code on
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
enabled ('--enable-tfp'). This service is not enabled by default on most
distributions; in particular it is not enabled by default on OpenWRT or
DD-WRT. Chances of successful exploitation increase when a long
Details follow:
Sebastian Krahmer discovered that the xrdb utility incorrectly filtered
crafted hostnames. An attacker could use this flaw with a malicious
DHCP server or with a remote xdmcp login and execute arbitrary code,
resulting in root privilege escalation.
Updated packages for Ubuntu 8.04 LTS:
execution of arbitrary code, or a Denial of Service.
Background
==========
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It includes support for Trivial FTP (TFTP).
Affected packages
=================
P.S.Ziegler yet. (He might or might not be aware of these facts).
If the report is right and logs recoriding you connecting and obtaining an IP
address are a concern then you should be terrified already. I suspect that I
could reconstruct much of what you did online given access to all the
asssociated logs. Getting an IP address from a DHCP server and using almost
any other service whatsoever usually generates at least an IP address and
timestamp. Bind 9 has logs, and they are on by default, so big brother might
be able to deduce a lot just using your ISP's DNS logs.
When I say that I got this spam from IP address X at time Y, and give full
VMware Player 1.0.4 upgrade to version 1.0.5 (Build# 56455)
VMware Server 1.0.3 upgrade to version 1.0.4 (Build# 56528)
VMware ACE 2.0.0 upgrade to version 2.0.1 (Build# 55017)
VMware ACE 1.0.3 upgrade to version 1.0.4 (Build# 54075)
II Hosted products DHCP security vulnerabilities addressed
This release fixes several vulnerabilities in the DHCP server
that could enable a specially crafted packets to gain system-level
privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Debian Security Advisory DSA-2292-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
August 11, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : isc-dhcp
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-2748 CVE-2011-2749
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Sebastian Krahmer discovered that the xrdb utility of x11-xserver-utils,
a X server resource database utility, is not properly filtering crafted
hostnames. This allows a remote attacker to execute arbitrary code with
root privileges given that either remote logins via xdmcp are allowed or
the attacker is able to place a rogue DHCP server into the victims network.
The oldstable distribution (lenny), this problem has been fixed in
version 7.3+6.
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
~ NOTE: Fusion and Linux based products are not affected by this
~ issue.
~ g. DHCP denial of service vulnerability
~ A potential denial of service issue affects DHCP service running
~ on the host.
~ VMware would like to thank Martin O'Neal for reporting this issue.
> o Idle-scanning, O/S fingerprinting, host alias
> detection, traffic analysis, TCP blind data injection,
> etc. (predictable IP fragmentation ID) in "regular" IP
> packets and raw IP packets.
>
> o Predictable IP fragmentation ID in DHCP, IP multicast
> routing and IPsec encapsulation in IP.
>
>
> * NetBSD 1.6.2-4.0
>
A vulnerability has been found and corrected in xrdb:
xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote
attackers to execute arbitrary commands via shell metacharacters in a
hostname obtained from a (1) DHCP or (2) XDMCP message (CVE-2011-0465).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
TN> inaccessible
TN> until the router is physically restarted.
TN> While the router will still continue to function at the network level, i.e.
TN> it will
TN> still respond to ICMP echo requests and issue leases via DHCP, an
TN> administrator will
TN> no longer be able to interact with the administrative web interface.
TN> This attack can be carried out internally within the network, or over the
TN> Internet
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
* csrf (cross-site request forgeries)
* xss (cross-site scripting)
* call-jacking - like making your phone dial numbers or even survey
room's sound where the phone resides
* obfuscation/encryption deficiencies
* UPnP, DHCP and mDNS problems - although not officially reported,
most devices are affected
* SNMP injection attacks due to poor SNMP creds.
* memory overwrites - well it is possible to overwrite the admin
password while being in memory and therefore be able to login as admin
* stealing config files
ArpON (Arp handler inspectiON) is a portable Arp handler.
It Detects and Blocks all ARP Poisoning/Spoofing attacks with
Static Arp Inspection (SARPI) and Dynamic Arp Inspection (DARPI)
approach on switched/hubbed LAN with/without DHCP protocol.
Important to note, it doesn't compromise the ARP protocol performances.
I need testing and code revision, thank you.
The link to project's documentation is:
http://arpon.sourceforge.net/about.html
authentication cookie from a prior login, and then visit ANY WEBSITE.
Upon fetching/executing these injected elements, the browser will
transmit the 'GX' cookie in the clear for the load of the spoofed
element.
Arp spoofing, DHCP spoofing, DNS spoofing, and TCP race-based attacks
(such as AirPwn) are all valid vectors for inserting these content
elements.
The ONLY way to be safe is to clear your google cookies immediately
after using gmail, or to mash the logout button. Obviously, being a
Dear lee.e.rian@census.gov,
Why do you think you can't do it with SNMP? An examples are settings DNS
server option via DHCP (or DNS domain name for proxy server
autodiscovery protocol) or even configuring a VPN tunnel for all
traffic. I'm not sure about Tsunami, for Orinoco these settings are
read/write:
http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx
Other information:
* Default username and password is cmc
* Default administrator username/password is admin
* Device supports following protocols TCP/IP, SNMPv1, SNMPv3, FTP,
SFTP, SMTP, HTTPS, NTP, SSH, PPP, DHCP. Further research is
highly encouraged.
"Six pints of bitter. And quickly please, the world's about to end."
-- Ford Prefect
o Idle-scanning, O/S fingerprinting, host alias
detection, traffic analysis, TCP blind data injection,
etc. (predictable IP fragmentation ID) in "regular" IP
packets and raw IP packets.
o Predictable IP fragmentation ID in DHCP, IP multicast
routing and IPsec encapsulation in IP.
* NetBSD 1.6.2-4.0
dnsmasq (http://www.thekelleys.org.uk/dnsmasq/doc.html) a popular DHCP
and DNS forwarder and cache server used on many DSL/Cable routers now
has a simple DNS Rebinding protection mechanism. When executed with the
--stop-dns-rebind option the DNS resolver in dnsmasq will filter out
private IP addresses (127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12 and 169.254.0.0/16). This should be sufficient for most
private/home users.
Feedback welcome.
commonly used by viruses as added feature, when the specific AV is
detected on the infected machine, crashing the system just to annoy. Or
by a human attacker, after a succesful remote intrusion with
unprivileged credentials to make a computer resource unavailable to its
intended users. Besides, this could be a very valuable resource when
trying to fake some service that answers broadcasts request like a DHCP,
allowing to start the service in another location replacing the original
one.
1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)
Barracuda Networks AG Security Advisory 07/08/2011
Summary
-----------------------------
Malformed DHCPv6 packets cause RPC to become unresponsive.
Technical Details
-----------------------------
inaccessible
until the router is physically restarted.
While the router will still continue to function at the network level, i.e.
it will
still respond to ICMP echo requests and issue leases via DHCP, an
administrator will
no longer be able to interact with the administrative web interface.
This attack can be carried out internally within the network, or over the
Internet
Hi Yossi,
Are you doing something funky with your IP address, e.g., NAT'ed/short DHCP
lease? The reason I ask is because in 2008, Adrian Pastor stated
authentication in the 3Com Wireless 8760 was linked to the source IP
address [1]. It may well be the case (as you have discovered) that it
allows arbitrary IP addresses to access the config once an administrator
has authentication... However, I just wanted to hit this badboy up incase
there was some confusion.
Summary
-------
Template Security has discovered a serious Denial of Service
(DoS) vulnerability in the BlueCat Networks Adonis DNS/DHCP
Appliance. When XHA is configured to place two Adonis
servers in an active-passive pair to provide high
availability, a remote attacker can transmit a single UDP
datagram to crash the heartbeat control process. This can
be used for example to create an active/active condition in
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I've been playing with DHCPd bug in *Ubuntu Linux*. According to the
analysis by Core it could be theoretically possible to get a shell ("the
possibility of using it to execute arbitrary code on vulnerable systems was
not investigated in-depth and should not be disregarded"):
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962
<<Previous Next>>
|
