informa
/
Vulnerabilities/Threats
News

Mu Security Discovers DHCP Zero-Day

Mu Security discovers Dibbler DHCPv6 zero-day denial of service vulnerability

SUNNYVALE, Calif. -- Mu Security, a pioneer in the new security analyzer market, has discovered and helped remediate a new Dibbler 0-day remote denial of service vulnerability http://labs.musecurity.com/advisories.html

Affected Products/Versions: Dibbler 0.6.0
http://klub.com.pl/dhcpv6/

Product Overview: Dibbler is a portable DHCPv6 implementation. DHCPv6 is the Dynamic Host Configuration Protocol for IPv6, an application-layer protocol used to dynamically assign IPv6 addresses to network components. It can also be used to distribute information which is not otherwise discoverable; the most important case of this is the DNS server.

Vulnerability Details: There are multiple vulnerabilities where a maliciously-crafted packet can crash Dibbler. These include packets with options with large lengths (memory allocation failure via integer overflow), invalid lengths (buffer overread), and malformed IA_NA options in a REBIND message (null pointer dereference).

Options with large lengths can cause integer overflows, which ultimately cause the server to fail to allocate memory and abort. For example, in the TSrvMsg constructor (SrvMessages/SrvMsg.cpp, line 94), the message length is converted using ntohs() and stored in a short (line 109). The length is later passed to option constructors as an int. The length will be sign-extended and may be incorrectly used as a negative signed integer or a large unsigned integer. For example, if the code is OPTION_CLIENTID and the length is -1, the server will eventually attempt to allocate 4294967295 bytes to store the DUID (Misc/DUID.cpp, line 26). This allocation will usually fail and the server will abort.

Invalid lengths: In many places, lengths are not validated against buffer sizes resulting in potential buffer overreads. For example, the TSrvMsg constructor does not check the buffer size correctly before reading the option code and option length (SrvMessages/SrvMsg.cpp, line 106) and does not check the option length against the buffer size before parsing the options.

Malformed IA_NA options in a REBIND message: A REBIND with an invalid IA_NA can cause a null pointer dereference due to a logic error. In TSrvOptIA_NA::rebind() (SrvOptions/SrvOptIA_NA.cpp, line 407), the TAddrIA (ptrIA) is retrieved from the TAddrClient (ptrClient) and then the client (ptrClient) is checked against NULL. The TAddrIA (ptrIA) should be checked against NULL. It can be NULL and the pointer is later dereferenced.

Vendor Response / Solution: Fixed in Dibbler 0.6.1 Available from http://klub.com.pl/dhcpv6/

History:

    May 30, 2007 First contact with vendor
    May 31, 2007 Vendor acknowledges vulnerability
    July 5, 2007 Vendor releases security fix
    July 5, 2007 Notify vendor of additional issues
    July 6, 2007 Vendor releases snapshot
    July 11, 2007 Notify vendor of additional issues
    July 13, 2007 Vendor releases snapshot
    July 30, 2007 Notify vendor of additional issues
    August 26, 2007 Vendor releases snapshot
    August 26, 2007 Vendor releases snapshot
    Sept. 11, 2007 Vendor releases official fix
    Sept. 18, 2007 Advisory released
Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt

Mu Security Inc.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5