Date: Fri, 4 Dec 1998 15:50:52 -0500 From: Irwin Tillman <irwin@PHOENIX.PRINCETON.EDU> Subject: Re: bootpd remote vulnerability To: BUGTRAQ@NETSPACE.ORG John McDonald <jmcdonal@UNF.EDU> wrote: >I've discovered a remote buffer overflow in the bootpd daemon that, to >my knowledge, is distributed with most linuxs and bsds. >... > >I have not attempted to determine if Solaris, Irix, Digital Unix, or any >other OS's are vulnerable. >... >The problem is that we can specify a htype that is past the end of the >hwinfolist table. >... Unpatched CMU dhcpd 3.3.7 (which traces its roots to the old bootpd) was also vulnerable. Princeton patch 6 (the most recent patch, released July 1998) fixed it. The PU patches are at http://www.princeton.edu/~irwin/dhcpd.html. /ist