ASA-2019-00001 – FreeBSD: bootpd buffer overflow


Allele Security Alert

ASA-2019-00001

Identifier(s)

ASA-2019-00001, FreeBSD-SA-18:15.bootpd, CVE-2018-17161

Title

bootpd buffer overflow

Vendor(s)

The FreeBSD Project

Product(s)

FreeBSD

Affected version(s)

All supported versions of FreeBSD.

Fixed version(s)

stable/12, 12.0-STABLE
releng/12.0, 12.0-RELEASE-p1
stable/11, 11.2-STABLE
releng/11.2, 11.2-RELEASE-p7

Proof of concept

Unknown

Description

Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow.

It is possible that the buffer overflow could lead to a Denial of Service or remote code execution.

Technical details

File: libexec/bootpd/bootpd.c
---
625 PRIVATE void
626 handle_request()
627 {
628  struct bootp *bp = (struct bootp *) pktbuf;
629  struct host *hp = NULL;
630  struct host dummyhost;
631  int32 bootsize = 0;
632  unsigned hlen, hashcode;
633  int32 dest;
634  char realpath[1024];
635  char *clntpath;
636  char *homedir, *bootfile;
637  int n;
...
639  if (bp->bp_htype >= hwinfocnt) {
640   report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype);
641   return;
642  }
...
997 }
---

Credits

Reno Robert

Reference(s)

FreeBSD-SA-18:15.bootpd
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:15.bootpd.asc

[base] Revision 342228
https://svnweb.freebsd.org/base?view=revision&revision=r342228

bootpd remote vulnerability
https://marc.info/?l=bugtraq&m=91278867118128&w=2

CVE-2018-17161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161

CVE-2018-17161
https://nvd.nist.gov/vuln/detail/CVE-2018-17161

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 11, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.