funsec mailing list archives
Can You Trust Your IP Address?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 27 Jul 2009 22:58:05 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeah, only slightly misleading subject... more precisely, can you trust your DHCP server to give you an IP address? Not if you plan to attend BH/DC -- unless you have patched dhclient within the past couple of days: http://www.milw0rm.com/exploits/9265 A rogue, malicious DHCP server. Just feed it an msfpayload, and... well, you know how the story ends!! *ISC DHCP dhclient < 3.1.2p1 Remote Exploit * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 * * Stack-based buffer overflow in the script_write_params method in * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to * execute arbitrary code via a crafted subnet-mask option. * * Usage: * * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet * $ sudo ./cve-2009-0692 * [+] listening on eth0: ip and udp and src port 68 and dst port 67 * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920 * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920 * * $ gdb /sbin/dhclient * ... * DHCPREQUEST on eth0 to 255.255.255.255 port 67 * DHCPACK from 0.6.9.2 * ... * Program received signal SIGSEGV, Segmentation fault. * 0x41414141 in ?? () * * Notes: * Exclusively for use at DEFCON next week. ;-) Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpuaT0ACgkQUVxQRc85QlO/+gCcCtZ7vXNpA1UiTpssjjvAzn9V lKgAoI0H/u89asLivMvbtuXcZPyoKXPn =SqX8 -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Can You Trust Your IP Address? Jon Kibler (Jul 27)