mailing list archives
DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365)
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Fri, 02 Nov 2007 22:06:07 +0100
-----BEGIN PGP SIGNED MESSAGE-----
I've been playing with DHCPd bug in *Ubuntu Linux*. According to the
analysis by Core it could be theoretically possible to get a shell ("the
possibility of using it to execute arbitrary code on vulnerable systems was
not investigated in-depth and should not be disregarded"):
But in practice it doesn't seems to be possible because vulnerable memcpy
tries to write past the end of the stack region (it tries to write ~64
kbytes, when available stack space is ~8 kbytes), so you always get an
instant "Segmentation fault", without any chance to control EIP.
DoS exploit is quite trivial. DHCPd crashes using mms values:
278 <= mms <= 284
I've attached working (DoS) exploit.
If some code-ninja has any idea about how to overcome the former
exploitation problem, please, I'd be interested in knowing it (perhaps
performing a previous DHCP operation in order for the stack to be expanded,
before launching the real exploit?).
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365) Roman Medina-Heigl Hernandez (Nov 02)