Saturday, July 22, 2006

DHCP Exploit Publicly Available (MS06-036)

Published: 2006-07-22,Last Updated: 2006-07-22 13:21:20 UTC by Swa Frantzen (Version: 1)

As a "present" for blackhat an exploit against the DHCP client of Windows 2000 was released publicly. See MS06-036 for more details.

The exploit claims to add the user "bl4ck" with a very insecure password and might cause the service to terminate. The author left some suggestions for "improvement" in the source code, so expect potentially nastier versions to be used in real life. If you still have not patched your Windows client systems, it is a very good time to do so now.

The nature of DHCP makes it so that any device on a LAN can answer any and all DHCP request. So be sure people understand there is no need to attack or compromise any server first. Detecting this is helped slightly by DHCP's use of broadcasts (the client doesn't have an IP address).It is quite imaginable that this gets used not just over wired networks - where the defending staff could disable a port in a worst-case scenario - but also over wireless networks, hotspots, hotels etc. where no such option is available. Or it could be used in a multi-stage attack where this gets inside your network in other ways and then does its "magic" on the local LAN.

-----------------------------------

After talking to a couple of friends, this exploit isn't the best in the world. Exploitation of the bug will crash the DHCP service, leaving the target box without an IP address....that is the rub.

Anyways, I know a couple of people that are looking into the issue...but this one is pretty tricky to use. This trickiness will hopefully give corporate patch administrators the time to make the patch package and get it rolling...

http://www.milw0rm.com/exploits/2054

-Technocrat

No comments:

Post a Comment