[8673] in bugtraq
Re: bootpd remote vulnerability
daemon@ATHENA.MIT.EDU (Irwin Tillman)
Fri Dec 4 17:35:28 1998
Date: Fri, 4 Dec 1998 15:50:52 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Irwin Tillman <irwin@PHOENIX.PRINCETON.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Message from John McDonald <jmcdonal@UNF.EDU> dated "Fri, 04 Dec
1998 10:45:40 EST."
<Pine.OSF.4.02.9812032011120.31977-100000@osprey.unf.edu>
John McDonald <jmcdonal@UNF.EDU> wrote:
>I've discovered a remote buffer overflow in the bootpd daemon that, to
>my knowledge, is distributed with most linuxs and bsds.
>...
>
>I have not attempted to determine if Solaris, Irix, Digital Unix, or any
>other OS's are vulnerable.
>...
>The problem is that we can specify a htype that is past the end of the
>hwinfolist table.
>...
Unpatched CMU dhcpd 3.3.7 (which traces its roots to the old bootpd)
was also vulnerable. Princeton patch 6 (the most recent patch, released
July 1998) fixed it.
The PU patches are at http://www.princeton.edu/~irwin/dhcpd.html.
/ist
