format string report
format string bugs in ISC DHCP
While examining ISC DHCP's source code, I noticed a couple of format string bugs in the following locations:
To reproduce these bugs on Ubuntu 22.04, you may follow these steps:
raptor@fnord:~$ cp /sbin/dhclient . # copy to local directory to bypass apparmor policy raptor@fnord:~$ echo "include foo" > %n%n%n%n raptor@fnord:~$ echo "include foo" > %x%x%x%x raptor@fnord:~$ ./dhclient -cf %n%n%n%n # write to memory, caught by exploit mitigations *** %n in writable segment detected *** raptor@fnord:~$ ./dhclient -cf %x%x%x%x # read from memory, notice the leak in the syslog file RTNETLINK answers: Operation not permitted RTNETLINK answers: Operation not permitted raptor@fnord:~$ grep "filename string expected" /var/log/syslog Apr 7 19:28:01 fnord dhclient: 7cb92e0d7200 line 1: filename string expected.
I've just noticed ISC DHCP has recently reached EOL and I can't think of any scenario in which these bugs could be exploited in order to cross a security boundary. However, as format string bugs are a very powerful exploitation primitive, in my opinion they should be fixed in any case just to be careful.
Please let me know if you intend to issue a fix and/or request a CVE ID.
-- Marco Ivaldi