ID CVE-2009-1893
Summary The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command.
References
Vulnerable Configurations
  • Red Hat Enterprise Linux 3.0
    cpe:2.3:o:redhat:enterprise_linux:3.0
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:as
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:as
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:es
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:es
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:ws
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:ws
  • cpe:2.3:a:isc:dhcp:3.0.1:rc1
    cpe:2.3:a:isc:dhcp:3.0.1:rc1
  • cpe:2.3:a:isc:dhcp:3.0.1:rc5
    cpe:2.3:a:isc:dhcp:3.0.1:rc5
  • cpe:2.3:a:isc:dhcp:3.0.1:rc2
    cpe:2.3:a:isc:dhcp:3.0.1:rc2
  • cpe:2.3:a:isc:dhcp:3.0.1:rc6
    cpe:2.3:a:isc:dhcp:3.0.1:rc6
  • cpe:2.3:a:isc:dhcp:3.0.1:rc7
    cpe:2.3:a:isc:dhcp:3.0.1:rc7
  • cpe:2.3:a:isc:dhcp:3.0.1:rc8
    cpe:2.3:a:isc:dhcp:3.0.1:rc8
  • cpe:2.3:a:isc:dhcp:3.0.1:rc9
    cpe:2.3:a:isc:dhcp:3.0.1:rc9
  • cpe:2.3:a:isc:dhcp:3.0.1:rc12
    cpe:2.3:a:isc:dhcp:3.0.1:rc12
  • cpe:2.3:a:isc:dhcp:3.0.1:rc13
    cpe:2.3:a:isc:dhcp:3.0.1:rc13
  • cpe:2.3:a:isc:dhcp:3.0.1:rc14
    cpe:2.3:a:isc:dhcp:3.0.1:rc14
  • cpe:2.3:a:isc:dhcp:3.0.1:rc11
    cpe:2.3:a:isc:dhcp:3.0.1:rc11
  • cpe:2.3:a:isc:dhcp:3.0.1:rc10
    cpe:2.3:a:isc:dhcp:3.0.1:rc10
CVSS
Base: 6.9 (as of 17-07-2009 - 13:09)
Impact:
Exploitability:
CWE CWE-59
CAPEC
  • Symlink Attack
    An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1154.NASL
    description From Red Hat Security Advisory 2009:1154 : Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67891
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67891
    title Oracle Linux 3 : dhcp (ELSA-2009-1154)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1154.NASL
    description Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 39801
    published 2009-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39801
    title CentOS 3 : dhcp (CESA-2009:1154)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090714_DHCP_ON_SL3_X.NASL
    description The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60615
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60615
    title Scientific Linux Security Update : dhcp on SL3.x, SL4.x i386/x86_64
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2009-0014.NASL
    description a. Service Console update for DHCP and third-party library update for DHCP client. DHCP is an Internet-standard protocol by which a computer can be connected to a local network, ask to be given configuration information, and receive from a server enough information to configure itself as a member of that network. A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0692 to this issue. An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1893 to this issue. b. Updated Service Console package kernel Service Console package kernel update to version kernel-2.4.21-58.EL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598, CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the security issues fixed in kernel-2.4.21-58.EL c. JRE Security Update JRE update to version 1.5.0_18, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339, CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 42179
    published 2009-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42179
    title VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1154.NASL
    description Updated dhcp packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ('/etc/init.d/dhcpd'). A local attacker could use this flaw to overwrite an arbitrary file with the output of the 'dhcpd -t' command via a symbolic link attack, if a system administrator executed the DHCP init script with the 'configtest', 'restart', or 'reload' option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 39799
    published 2009-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39799
    title RHEL 3 : dhcp (RHSA-2009:1154)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2009-0014_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - ISC DHCP dhclient - Integrated Services Digital Network (ISDN) subsystem - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Web Start - Linux kernel - Linux kernel 32-bit and 64-bit emulation - Linux kernel Simple Internet Transition INET6 - Linux kernel tty - Linux kernel virtual file system (VFS) - Red Hat dhcpd init script for DHCP - SBNI WAN driver
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89116
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89116
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check)
oval via4
  • accepted 2013-04-29T04:14:52.240-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command.
    family unix
    id oval:org.mitre.oval:def:11597
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command.
    version 24
  • accepted 2010-01-11T04:01:40.611-05:00
    class vulnerability
    contributors
    name Michael Wood
    organization Hewlett-Packard
    definition_extensions
    • comment VMWare ESX Server 3.0.3 is installed
      oval oval:org.mitre.oval:def:6026
    • comment VMware ESX Server 3.5.0 is installed
      oval oval:org.mitre.oval:def:5887
    description The configtest function in the Red Hat dhcpd init script for DHCP 3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file, related to the "dhcpd -t" command.
    family unix
    id oval:org.mitre.oval:def:6440
    status accepted
    submitted 2009-09-23T15:39:02.000-04:00
    title Red Hat dhcpd init Script Symlink Flaw Lets Local Users Gain Elevated Privileges
    version 4
redhat via4
advisories
bugzilla
id 510024
title CVE-2009-1893 dhcp: insecure temporary file use in the dhcpd init script
oval
AND
  • comment Red Hat Enterprise Linux 3 is installed
    oval oval:com.redhat.rhsa:tst:20060015001
  • OR
    • AND
      • comment dhclient is earlier than 7:3.0.1-10.2_EL3
        oval oval:com.redhat.rhsa:tst:20091154006
      • comment dhclient is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20091136007
    • AND
      • comment dhcp is earlier than 7:3.0.1-10.2_EL3
        oval oval:com.redhat.rhsa:tst:20091154002
      • comment dhcp is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20091136003
    • AND
      • comment dhcp-devel is earlier than 7:3.0.1-10.2_EL3
        oval oval:com.redhat.rhsa:tst:20091154004
      • comment dhcp-devel is signed with Red Hat master key
        oval oval:com.redhat.rhsa:tst:20091136005
rhsa
id RHSA-2009:1154
released 2009-07-14
severity Critical
title RHSA-2009:1154: dhcp security update (Critical)
rpms
  • dhclient-7:3.0.1-10.2_EL3
  • dhcp-7:3.0.1-10.2_EL3
  • dhcp-devel-7:3.0.1-10.2_EL3
refmap via4
bid 35670
confirm https://bugzilla.redhat.com/show_bug.cgi?id=510024
sectrack 1022554
secunia 35831
xf dhcp-dhcpdt-symlink(51718)
Last major update 21-08-2010 - 01:32
Published 17-07-2009 - 12:30
Last modified 28-09-2017 - 21:34
Back to Top