lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <472B913F.70603@rs-labs.com>
Date: Fri, 02 Nov 2007 22:06:07 +0100
From: Roman Medina-Heigl Hernandez <roman@...labs.com>
To: bugtraq@...urityfocus.com,
	Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I've been playing with DHCPd bug in *Ubuntu Linux*. According to the
analysis by Core it could be theoretically possible to get a shell ("the
possibility of using it to execute arbitrary code on vulnerable systems was
not investigated in-depth and should not be disregarded"):
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962

But in practice it doesn't seems to be possible because vulnerable memcpy
tries to write past the end of the stack region (it tries to write ~64
kbytes, when available stack space is ~8 kbytes), so you always get an
instant "Segmentation fault", without any chance to control EIP.

DoS exploit is quite trivial. DHCPd crashes using mms values:
278 <= mms <= 284
I've attached working (DoS) exploit.

If some code-ninja has any idea about how to overcome the former
exploitation problem, please, I'd  be interested in knowing it (perhaps
performing a previous DHCP operation in order for the stack to be expanded,
before launching the real exploit?).

- --

Saludos,
- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHK5E/5H+KferVZ0IRAuf1AKD2B2UIccm8xNOM/WIkhNUiad4VigCePom0
KdZvmNSuBNnefofp7g/RY+M=
=bLqK
-----END PGP SIGNATURE-----

Download attachment "DoS-CVE-2007-5365.tgz" of type "application/octet-stream" (13988 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ