Potential UAF in ISC DHCP (with RCE opportunity)
As submitted (encrypted) to Security Officer :
Hi,
I'm a security researcher. I found a potential UAF exist in ISC DHCP project.
Details:
In function store_options:
oc = lookup_option (u, cfg_options, code);
...... struct buffer *bp = (struct buffer *)0; if (!buffer_allocate (&bp, length, MDL)) { option_cache_dereference (&oc, MDL); data_string_forget (&od, MDL); data_string_forget (&encapsulation, MDL); continue; }
variable oc is get from function lookup_option, but this function won't make a reference of oc. However, if buffer_allocate failed in some contidition, it will try to derefer to oc. If oc only has one reference or we can trigger it several times, this will let oc be freed but some objects still have its reference.
Impact:
this may be trigger by a client which can access 68 port of target host to gain a RCE.
No proof of concept that this can actually be used to trigger RCE, so currently this is a theoretical vulnerability only.