CVE-2007-5365 - 漏洞详情

CVE-2007-5365 (CNNVD-200710-201)

HIGH 有利用代码

中文标题:

OpenBSD DHCPD服务程序远程栈溢出漏洞

英文标题:

Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 throug...

CVSS分数: 7.2

发布时间: 2007-10-11 10:00:00

漏洞类型: 授权问题

状态: PUBLISHED

数据质量分数: 0.40

数据版本: v4

漏洞描述

中文描述:

OpenBSD是一款开放源代码Unix类操作系统。 OpenBSD系统的DHCP协议实现上存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制服务器。 OpenBSD的options.c文件中的cons_options()函数没有正确地处理DHCP请求。如果远程攻击者所发送的DHCP请求中指定最大消息大小小于最小IP MTU(278)的话，就会在OpenBSD中导致dhcpd(8)覆盖栈缓冲区，执行任意指令。漏洞存在于负责处理从客户端所接收到的DHCP选项的函数中。在src/usr.sbin/dhcpd/options.c文件中： int cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, int mms, struct tree_cache **options, int overload, /* Overload flags that may be set. */ int terminate, int bootpp, u_int8_t *prl, int prl_len) { unsigned char priority_list[300]; int priority_len; unsigned char buffer[4096]; /* Really big buffer... */ int main_buffer_size; int mainbufix, bufix; int option_size; int length; dhcp.h中定义了DHCP_FIXED_LEN： if (!mms && inpacket && inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data && (inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >= sizeof(u_int16_t))) mms = getUShort( inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data); if (mms) main_buffer_size = mms - DHCP_FIXED_LEN; else if (bootpp) main_buffer_size = 64; else main_buffer_size = 576 - DHCP_FIXED_LEN; if (main_buffer_size > sizeof(buffer)) main_buffer_size = sizeof(buffer); main_buffer_size是有符型，可被攻击者控制。只要main_buffer_size是比较小的正整数(<= 4096)，执行流就会正常进行： /* Copy the options into the big buffer... */ option_size = store_options( buffer, (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0)+ ((overload & 2) ? DHCP_SNAME_LEN : 0)), options, priority_list, priority_len, main_buffer_size, (main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)), terminate); /* Put the cookie up front... */ memcpy(outpacket->options, DHCP_OPTIONS_COOKIE, 4); mainbufix = 4; 这里如果main_buffer_size为比较小的正值的话(<= 7)，就会导致store_options迅速退出，执行流会继续。具体来讲，只要客户端报文中的Maximum Segment Size值(mms)满足(DHCP_FIXED_LEN < mms < DHCP_FIXED_LEN+4)这个条件，main_buffer_size就会为小于4的正数。 if (option_size <= main_buffer_size - mainbufix) { memcpy(&outpacket->options[mainbufix], buffer, option_size); mainbufix += option_size; if (mainbufix < main_buffer_size) outpacket->options[mainbufix++] = DHO_END; length = DHCP_FIXED_NON_UDP + mainbufix; } else { outpacket->options[mainbufix++] = DHO_DHCP_OPTION_OVERLOAD; outpacket->options[mainbufix++] = 1; if (option_size > main_buffer_size - mainbufix + DHCP_FILE_LEN) outpacket->options[mainbufix++] = 3; else outpacket->options[mainbufix++] = 1; memcpy(&outpacket->options[mainbufix], buffer, main_buffer_size - mainbufix); 用负数的第三个参数触发memcpy(3)调用就会导致覆盖大部分的进程内存。

英文描述:

Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.

CWE类型:

CWE-119

受影响产品

厂商	产品	版本	版本范围	平台	CPE
debian	debian_linux	3.1	-	-	`cpe:2.3:o:debian:debian_linux:3.1:::::::*`
debian	debian_linux	4.0	-	-	`cpe:2.3:o:debian:debian_linux:4.0:::::::*`
openbsd	openbsd	4.0	-	-	`cpe:2.3:o:openbsd:openbsd:4.0:::::::*`
openbsd	openbsd	4.1	-	-	`cpe:2.3:o:openbsd:openbsd:4.1:::::::*`
openbsd	openbsd	4.2	-	-	`cpe:2.3:o:openbsd:openbsd:4.2:::::::*`
redhat	enterprise_linux	2.1	-	-	`cpe:2.3:o:redhat:enterprise_linux:2.1::as:::::`
redhat	linux_advanced_workstation	2.1	-	-	`cpe:2.3:o:redhat:linux_advanced_workstation:2.1::itanium:::::`
sun	opensolaris	snv_01	-	-	`cpe:2.3:o:sun:opensolaris:snv_01::sparc:::::`
sun	opensolaris	snv_02	-	-	`cpe:2.3:o:sun:opensolaris:snv_02::sparc:::::`
sun	opensolaris	snv_03	-	-	`cpe:2.3:o:sun:opensolaris:snv_03::sparc:::::`
sun	opensolaris	snv_04	-	-	`cpe:2.3:o:sun:opensolaris:snv_04::sparc:::::`
sun	opensolaris	snv_05	-	-	`cpe:2.3:o:sun:opensolaris:snv_05::sparc:::::`
sun	opensolaris	snv_06	-	-	`cpe:2.3:o:sun:opensolaris:snv_06::sparc:::::`
sun	opensolaris	snv_07	-	-	`cpe:2.3:o:sun:opensolaris:snv_07::sparc:::::`
sun	opensolaris	snv_08	-	-	`cpe:2.3:o:sun:opensolaris:snv_08::sparc:::::`
sun	opensolaris	snv_09	-	-	`cpe:2.3:o:sun:opensolaris:snv_09::sparc:::::`
sun	opensolaris	snv_10	-	-	`cpe:2.3:o:sun:opensolaris:snv_10::sparc:::::`
sun	opensolaris	snv_11	-	-	`cpe:2.3:o:sun:opensolaris:snv_11::sparc:::::`
sun	opensolaris	snv_12	-	-	`cpe:2.3:o:sun:opensolaris:snv_12::sparc:::::`
sun	opensolaris	snv_13	-	-	`cpe:2.3:o:sun:opensolaris:snv_13::sparc:::::`
sun	opensolaris	snv_14	-	-	`cpe:2.3:o:sun:opensolaris:snv_14::sparc:::::`
sun	opensolaris	snv_15	-	-	`cpe:2.3:o:sun:opensolaris:snv_15::sparc:::::`
sun	opensolaris	snv_16	-	-	`cpe:2.3:o:sun:opensolaris:snv_16::sparc:::::`
sun	opensolaris	snv_17	-	-	`cpe:2.3:o:sun:opensolaris:snv_17::sparc:::::`
sun	opensolaris	snv_18	-	-	`cpe:2.3:o:sun:opensolaris:snv_18::sparc:::::`
sun	opensolaris	snv_19	-	-	`cpe:2.3:o:sun:opensolaris:snv_19::sparc:::::`
sun	opensolaris	snv_20	-	-	`cpe:2.3:o:sun:opensolaris:snv_20::sparc:::::`
sun	opensolaris	snv_21	-	-	`cpe:2.3:o:sun:opensolaris:snv_21::sparc:::::`
sun	opensolaris	snv_22	-	-	`cpe:2.3:o:sun:opensolaris:snv_22::sparc:::::`
sun	opensolaris	snv_23	-	-	`cpe:2.3:o:sun:opensolaris:snv_23::sparc:::::`
sun	opensolaris	snv_24	-	-	`cpe:2.3:o:sun:opensolaris:snv_24::sparc:::::`
sun	opensolaris	snv_25	-	-	`cpe:2.3:o:sun:opensolaris:snv_25::sparc:::::`
sun	opensolaris	snv_26	-	-	`cpe:2.3:o:sun:opensolaris:snv_26::sparc:::::`
sun	opensolaris	snv_27	-	-	`cpe:2.3:o:sun:opensolaris:snv_27::sparc:::::`
sun	opensolaris	snv_28	-	-	`cpe:2.3:o:sun:opensolaris:snv_28::sparc:::::`
sun	opensolaris	snv_29	-	-	`cpe:2.3:o:sun:opensolaris:snv_29::sparc:::::`
sun	opensolaris	snv_30	-	-	`cpe:2.3:o:sun:opensolaris:snv_30::sparc:::::`
sun	opensolaris	snv_31	-	-	`cpe:2.3:o:sun:opensolaris:snv_31::sparc:::::`
sun	opensolaris	snv_32	-	-	`cpe:2.3:o:sun:opensolaris:snv_32::sparc:::::`
sun	opensolaris	snv_33	-	-	`cpe:2.3:o:sun:opensolaris:snv_33::sparc:::::`
sun	opensolaris	snv_34	-	-	`cpe:2.3:o:sun:opensolaris:snv_34::sparc:::::`
sun	opensolaris	snv_35	-	-	`cpe:2.3:o:sun:opensolaris:snv_35::sparc:::::`
sun	opensolaris	snv_36	-	-	`cpe:2.3:o:sun:opensolaris:snv_36::sparc:::::`
sun	opensolaris	snv_37	-	-	`cpe:2.3:o:sun:opensolaris:snv_37::sparc:::::`
sun	opensolaris	snv_38	-	-	`cpe:2.3:o:sun:opensolaris:snv_38::sparc:::::`
sun	opensolaris	snv_39	-	-	`cpe:2.3:o:sun:opensolaris:snv_39::sparc:::::`
sun	opensolaris	snv_40	-	-	`cpe:2.3:o:sun:opensolaris:snv_40::sparc:::::`
sun	opensolaris	snv_41	-	-	`cpe:2.3:o:sun:opensolaris:snv_41::sparc:::::`
sun	opensolaris	snv_42	-	-	`cpe:2.3:o:sun:opensolaris:snv_42::sparc:::::`
sun	opensolaris	snv_43	-	-	`cpe:2.3:o:sun:opensolaris:snv_43::sparc:::::`
sun	opensolaris	snv_44	-	-	`cpe:2.3:o:sun:opensolaris:snv_44::sparc:::::`
sun	opensolaris	snv_45	-	-	`cpe:2.3:o:sun:opensolaris:snv_45::sparc:::::`
sun	opensolaris	snv_46	-	-	`cpe:2.3:o:sun:opensolaris:snv_46::sparc:::::`
sun	opensolaris	snv_47	-	-	`cpe:2.3:o:sun:opensolaris:snv_47::sparc:::::`
sun	opensolaris	snv_48	-	-	`cpe:2.3:o:sun:opensolaris:snv_48::sparc:::::`
sun	opensolaris	snv_49	-	-	`cpe:2.3:o:sun:opensolaris:snv_49::sparc:::::`
sun	opensolaris	snv_50	-	-	`cpe:2.3:o:sun:opensolaris:snv_50::sparc:::::`
sun	opensolaris	snv_51	-	-	`cpe:2.3:o:sun:opensolaris:snv_51::sparc:::::`
sun	opensolaris	snv_52	-	-	`cpe:2.3:o:sun:opensolaris:snv_52::sparc:::::`
sun	opensolaris	snv_53	-	-	`cpe:2.3:o:sun:opensolaris:snv_53::sparc:::::`
sun	opensolaris	snv_54	-	-	`cpe:2.3:o:sun:opensolaris:snv_54::sparc:::::`
sun	opensolaris	snv_55	-	-	`cpe:2.3:o:sun:opensolaris:snv_55::sparc:::::`
sun	opensolaris	snv_56	-	-	`cpe:2.3:o:sun:opensolaris:snv_56::sparc:::::`
sun	opensolaris	snv_57	-	-	`cpe:2.3:o:sun:opensolaris:snv_57::sparc:::::`
sun	opensolaris	snv_58	-	-	`cpe:2.3:o:sun:opensolaris:snv_58::sparc:::::`
sun	opensolaris	snv_59	-	-	`cpe:2.3:o:sun:opensolaris:snv_59::sparc:::::`
sun	opensolaris	snv_60	-	-	`cpe:2.3:o:sun:opensolaris:snv_60::sparc:::::`
sun	opensolaris	snv_61	-	-	`cpe:2.3:o:sun:opensolaris:snv_61::sparc:::::`
sun	opensolaris	snv_62	-	-	`cpe:2.3:o:sun:opensolaris:snv_62::sparc:::::`
sun	opensolaris	snv_63	-	-	`cpe:2.3:o:sun:opensolaris:snv_63::sparc:::::`
sun	opensolaris	snv_64	-	-	`cpe:2.3:o:sun:opensolaris:snv_64::sparc:::::`
sun	opensolaris	snv_65	-	-	`cpe:2.3:o:sun:opensolaris:snv_65::sparc:::::`
sun	opensolaris	snv_66	-	-	`cpe:2.3:o:sun:opensolaris:snv_66::sparc:::::`
sun	opensolaris	snv_67	-	-	`cpe:2.3:o:sun:opensolaris:snv_67::sparc:::::`
sun	opensolaris	snv_68	-	-	`cpe:2.3:o:sun:opensolaris:snv_68::sparc:::::`
sun	opensolaris	snv_69	-	-	`cpe:2.3:o:sun:opensolaris:snv_69::sparc:::::`
sun	opensolaris	snv_70	-	-	`cpe:2.3:o:sun:opensolaris:snv_70::sparc:::::`
sun	opensolaris	snv_71	-	-	`cpe:2.3:o:sun:opensolaris:snv_71::sparc:::::`
sun	opensolaris	snv_72	-	-	`cpe:2.3:o:sun:opensolaris:snv_72::sparc:::::`
sun	opensolaris	snv_73	-	-	`cpe:2.3:o:sun:opensolaris:snv_73::sparc:::::`
sun	opensolaris	snv_74	-	-	`cpe:2.3:o:sun:opensolaris:snv_74::sparc:::::`
sun	opensolaris	snv_75	-	-	`cpe:2.3:o:sun:opensolaris:snv_75::sparc:::::`
sun	opensolaris	snv_76	-	-	`cpe:2.3:o:sun:opensolaris:snv_76::sparc:::::`
sun	opensolaris	snv_77	-	-	`cpe:2.3:o:sun:opensolaris:snv_77::sparc:::::`
sun	opensolaris	snv_78	-	-	`cpe:2.3:o:sun:opensolaris:snv_78::sparc:::::`
sun	opensolaris	snv_79	-	-	`cpe:2.3:o:sun:opensolaris:snv_79::sparc:::::`
sun	opensolaris	snv_80	-	-	`cpe:2.3:o:sun:opensolaris:snv_80::sparc:::::`
sun	opensolaris	snv_81	-	-	`cpe:2.3:o:sun:opensolaris:snv_81::sparc:::::`
sun	opensolaris	snv_82	-	-	`cpe:2.3:o:sun:opensolaris:snv_82::sparc:::::`
sun	opensolaris	snv_83	-	-	`cpe:2.3:o:sun:opensolaris:snv_83::sparc:::::`
sun	opensolaris	snv_84	-	-	`cpe:2.3:o:sun:opensolaris:snv_84::sparc:::::`
sun	opensolaris	snv_85	-	-	`cpe:2.3:o:sun:opensolaris:snv_85::sparc:::::`
sun	opensolaris	snv_86	-	-	`cpe:2.3:o:sun:opensolaris:snv_86::sparc:::::`
sun	opensolaris	snv_87	-	-	`cpe:2.3:o:sun:opensolaris:snv_87::sparc:::::`
sun	opensolaris	snv_88	-	-	`cpe:2.3:o:sun:opensolaris:snv_88::sparc:::::`
sun	opensolaris	snv_89	-	-	`cpe:2.3:o:sun:opensolaris:snv_89::sparc:::::`
sun	opensolaris	snv_90	-	-	`cpe:2.3:o:sun:opensolaris:snv_90::sparc:::::`
sun	opensolaris	snv_91	-	-	`cpe:2.3:o:sun:opensolaris:snv_91::sparc:::::`
sun	opensolaris	snv_92	-	-	`cpe:2.3:o:sun:opensolaris:snv_92::sparc:::::`
sun	opensolaris	snv_93	-	-	`cpe:2.3:o:sun:opensolaris:snv_93::sparc:::::`
sun	opensolaris	snv_94	-	-	`cpe:2.3:o:sun:opensolaris:snv_94::sparc:::::`
sun	opensolaris	snv_95	-	-	`cpe:2.3:o:sun:opensolaris:snv_95::sparc:::::`
sun	opensolaris	snv_96	-	-	`cpe:2.3:o:sun:opensolaris:snv_96::sparc:::::`
sun	opensolaris	snv_97	-	-	`cpe:2.3:o:sun:opensolaris:snv_97::sparc:::::`
sun	opensolaris	snv_98	-	-	`cpe:2.3:o:sun:opensolaris:snv_98::sparc:::::`
sun	opensolaris	snv_99	-	-	`cpe:2.3:o:sun:opensolaris:snv_99::sparc:::::`
sun	opensolaris	snv_100	-	-	`cpe:2.3:o:sun:opensolaris:snv_100::sparc:::::`
sun	opensolaris	snv_101	-	-	`cpe:2.3:o:sun:opensolaris:snv_101::sparc:::::`
sun	opensolaris	snv_102	-	-	`cpe:2.3:o:sun:opensolaris:snv_102::sparc:::::`
sun	solaris	8.0	-	-	`cpe:2.3:o:sun:solaris:8.0::sparc:::::`
sun	solaris	9.0	-	-	`cpe:2.3:o:sun:solaris:9.0::sparc:::::`
sun	solaris	10.0	-	-	`cpe:2.3:o:sun:solaris:10.0::sparc:::::`
ubuntu	ubuntu_linux	6.06	-	-	`cpe:2.3:o:ubuntu:ubuntu_linux:6.06:_nil_:lts:::::*`
ubuntu	ubuntu_linux	6.10	-	-	`cpe:2.3:o:ubuntu:ubuntu_linux:6.10:::::::*`
ubuntu	ubuntu_linux	7.04	-	-	`cpe:2.3:o:ubuntu:ubuntu_linux:7.04:::::::*`
ubuntu	ubuntu_linux	7.10	-	-	`cpe:2.3:o:ubuntu:ubuntu_linux:7.10:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

27338 third-party-advisory
cve.org

访问

27350 third-party-advisory
cve.org

访问

ADV-2008-3088 vdb-entry
cve.org

访问

4601 exploit
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

[4.2] 20071008 001: SECURITY FIX: October 8, 2007 vendor-advisory
cve.org

访问

25984 vdb-entry
cve.org

访问

20071102 DoS Exploit for DHCPd bug (Bugtraq ID 25984 ; CVE-2007-5365) mailing-list
cve.org

访问

openbsd-dhcp-bo(37045) vdb-entry
cve.org

访问

RHSA-2007:0970 vendor-advisory
cve.org

访问

DSA-1388 vendor-advisory
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

USN-531-1 vendor-advisory
cve.org

访问

oval:org.mitre.oval:def:5817 vdb-entry
cve.org

访问

USN-531-2 vendor-advisory
cve.org

访问

27160 third-party-advisory
cve.org

访问

20071011 CORE-2007-0928: Stack-based buffer overflow vulnerability in OpenBSDâ??s DHCP server mailing-list
cve.org

访问

27273 third-party-advisory
cve.org

访问

[4.0] 20071008 016: SECURITY FIX: October 8, 2007 vendor-advisory
cve.org

访问

243806 vendor-advisory
cve.org

访问

32668 third-party-advisory
cve.org

访问

[4.1] 20071008 010: SECURITY FIX: October 8, 2007 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

1018794 vdb-entry
cve.org

访问

1021157 vdb-entry
cve.org

访问

32213 vdb-entry
cve.org

访问

Download Exploit EDB-4601 EXPLOIT
exploitdb

访问

CVE Reference: CVE-2008-5010 ADVISORY
cve.org

访问

CVE Reference: CVE-2007-5365 ADVISORY
cve.org

访问

CVSS评分详情

7.2

HIGH

CVSS向量: AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS版本: 2.0

机密性

COMPLETE

完整性

COMPLETE

可用性

COMPLETE

时间信息

发布时间:

2007-10-11 10:00:00

修改时间:

2024-08-07 15:31:57

创建时间:

2025-11-11 15:32:47

更新时间:

2026-01-26 02:18:01

利用信息

此漏洞有可利用代码！

利用代码数量: 1

利用来源:

未知

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2007-5365`	2025-11-11 15:17:56	2025-11-11 07:32:47
NVD	`nvd_CVE-2007-5365`	2025-11-11 14:52:12	2025-11-11 07:41:33
CNNVD	`cnnvd_CNNVD-200710-201`	2025-11-11 15:08:58	2025-11-11 07:49:21
EXPLOITDB	`exploitdb_EDB-4601`	2025-11-11 15:05:27	2025-11-11 08:49:44

版本与语言

当前版本: v4

主要语言: EN

支持语言:

EN ZH

其他标识符:

安全公告

暂无安全公告信息

变更历史

v4 EXPLOITDB

2025-11-11 16:49:44

references_count: 27 → 30; tags_count: 0 → 5; data_sources: ['cnnvd', 'cve', 'nvd'] → ['cnnvd', 'cve', 'exploitdb', 'nvd']

查看详细变更

references_count: 27 -> 30
tags_count: 0 -> 5
data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']

v3 CNNVD

2025-11-11 15:49:21

vulnerability_type: 未提取 → 授权问题; cnnvd_id: 未提取 → CNNVD-200710-201; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 授权问题
cnnvd_id: 未提取 -> CNNVD-200710-201
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:41:33

severity: SeverityLevel.MEDIUM → SeverityLevel.HIGH; cvss_score: 未提取 → 7.2; cvss_vector: NOT_EXTRACTED → AV:L/AC:L/Au:N/C:C/I:C/A:C; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 116; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
cvss_score: 未提取 -> 7.2
cvss_vector: NOT_EXTRACTED -> AV:L/AC:L/Au:N/C:C/I:C/A:C
cvss_version: NOT_EXTRACTED -> 2.0
affected_products_count: 0 -> 116
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2007-5365 (CNNVD-200710-201)

中文标题:

OpenBSD DHCPD服务程序远程栈溢出漏洞

英文标题:

Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 throug...

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史