[funsec] Can You Trust Your IP Address?

Jon Kibler Jon.Kibler at aset.com
Mon Jul 27 21:58:05 CDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Yeah, only slightly misleading subject... more precisely, can you trust your
DHCP server to give you an IP address? Not if you plan to attend BH/DC -- unless
you have patched dhclient within the past couple of days:

   http://www.milw0rm.com/exploits/9265

A rogue, malicious DHCP server. Just feed it an msfpayload, and... well, you
know how the story ends!!


 *ISC DHCP dhclient < 3.1.2p1 Remote Exploit

 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
 *
 *   Stack-based buffer overflow in the script_write_params method in
 *   client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before
 *   4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to
 *   execute arbitrary code via a crafted subnet-mask option.
 *
 * Usage:
 *
 *   $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet
 *   $ sudo ./cve-2009-0692
 *   [+] listening on eth0: ip and udp and src port 68 and dst port 67
 *   [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920
 *   [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920
 *
 *   $ gdb /sbin/dhclient
 *   ...
 *   DHCPREQUEST on eth0 to 255.255.255.255 port 67
 *   DHCPACK from 0.6.9.2
 *   ...
 *   Program received signal SIGSEGV, Segmentation fault.
 *   0x41414141 in ?? ()
 *
 * Notes:


 *   Exclusively for use at DEFCON next week.  ;-)



Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924	(NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpuaT0ACgkQUVxQRc85QlO/+gCcCtZ7vXNpA1UiTpssjjvAzn9V
lKgAoI0H/u89asLivMvbtuXcZPyoKXPn
=SqX8
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the funsec mailing list