Bugtraq mailing list archives

Re: bootpd remote vulnerability

From: irwin () PHOENIX PRINCETON EDU (Irwin Tillman)
Date: Fri, 4 Dec 1998 15:50:52 -0500


John McDonald <jmcdonal () UNF EDU> wrote:

I've discovered a remote buffer overflow in the bootpd daemon that, to
my knowledge, is distributed with most linuxs and bsds.
...

I have not attempted to determine if Solaris, Irix, Digital Unix, or any
other OS's are vulnerable.
...
The problem is that we can specify a htype that is past the end of the
hwinfolist table.
...



Unpatched CMU dhcpd 3.3.7 (which traces its roots to the old bootpd)
was also vulnerable.  Princeton patch 6 (the most recent patch, released
July 1998) fixed it.

The PU patches are at http://www.princeton.edu/~irwin/dhcpd.html.

/ist

Current thread:

bootpd remote vulnerability John McDonald (Dec 04)
- hping, a tcp pinger antirez (Nov 30)
- Re: bootpd remote vulnerability Irwin Tillman (Dec 04)
- <Possible follow-ups>
- Re: bootpd remote vulnerability Crispin Cowan (Dec 05)
  - Cheops Mark Spencer (Dec 07)
  - Re: bootpd remote vulnerability John McDonald (Dec 07)
  - Security Bulletins Digest (fwd) Patrick Oonk (Dec 07)