Vulnerabilities > CVE-2005-0876 - Remote vulnerability in Dnsmasq
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Nessus
NASL family DNS NASL id DNSMASQ_MULTIPLE_FLAWS.NASL description The remote host is running dnsmasq, a DHCP and DNS server. The version of dnsmasq installed on the remote host contains an off-by-one boundary error when reading a DHCP lease file. An attacker can leverage this issue to cause the application to crash or possible execute arbitrary code the next time it is restarted by sending a long hostname and client-id when requesting a DHCP lease. In addition, the application only checks the 16-bit ID against current queries when receiving DNS replies. An attacker may be able to send a flood of DNS replies and poison the DNS cache. last seen 2020-06-01 modified 2020-06-02 plugin id 17631 published 2005-03-25 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17631 title dnsmasq < 2.21.0 Multiple Remote Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17631); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id("CVE-2005-0876", "CVE-2005-0877"); script_bugtraq_id(12897); script_name(english:"dnsmasq < 2.21.0 Multiple Remote Vulnerabilities"); script_summary(english:"Checks the version of dnsmasq"); script_set_attribute(attribute:"synopsis", value:"The remote DNS / DHCP service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running dnsmasq, a DHCP and DNS server. The version of dnsmasq installed on the remote host contains an off-by-one boundary error when reading a DHCP lease file. An attacker can leverage this issue to cause the application to crash or possible execute arbitrary code the next time it is restarted by sending a long hostname and client-id when requesting a DHCP lease. In addition, the application only checks the 16-bit ID against current queries when receiving DNS replies. An attacker may be able to send a flood of DNS replies and poison the DNS cache."); script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/advisories/14691"); script_set_attribute(attribute:"see_also", value:"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG"); script_set_attribute(attribute:"solution", value:"Upgrade to dnsmasq 2.21.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/25"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:thekelleys:dnsmasq"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"DNS"); script_dependencie("dns_version.nasl"); script_require_keys("dns_server/version", "Settings/ParanoidReport"); script_require_ports("Services/dns", 53); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "dnsmasq"; port = get_kb_item("Services/udp/dns"); if (!port) port = 53; if (report_paranoia < 2) audit(AUDIT_PARANOID); # dnsmasq replies to BIND.VERSION version = get_kb_item_or_exit("dns_server/version"); version = tolower(version); display_version = version; if (version !~ "dnsmasq-(v)?") audit(AUDIT_NOT_LISTEN, app_name, port); version = ereg_replace(pattern:"^dnsmasq-(v)?(.*)$", replace:"\2", string:version); if (version == '2') audit(AUDIT_VER_NOT_GRANULAR, app_name, port, display_version); if (version =~ "^([01]\.|2\.([0-9]$|1[0-9]$|20))") { report = '\n' + '\n Installed version : ' + display_version + '\n Fixed version : dnsmasq-2.21' + '\n'; security_report_v4(port:53, proto:"udp", severity:SECURITY_HOLE, extra:report); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, display_version, 'udp');
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2005-201-01.NASL description New dnsmasq packages are available for Slackware 10.0, 10.1, and -current to fix security issues. An off-by-one overflow vulnerability may allow a DHCP client to create a denial of service condition. Additional code was also added to detect and defeat attempts to poison the DNS cache. last seen 2020-06-01 modified 2020-06-02 plugin id 19850 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19850 title Slackware 10.0 / 10.1 / current : dnsmasq (SSA:2005-201-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2005-201-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(19850); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2005-0876", "CVE-2005-0877"); script_xref(name:"SSA", value:"2005-201-01"); script_name(english:"Slackware 10.0 / 10.1 / current : dnsmasq (SSA:2005-201-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New dnsmasq packages are available for Slackware 10.0, 10.1, and -current to fix security issues. An off-by-one overflow vulnerability may allow a DHCP client to create a denial of service condition. Additional code was also added to detect and defeat attempts to poison the DNS cache." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.383134 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?155556d9" ); script_set_attribute( attribute:"solution", value:"Update the affected dnsmasq package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:dnsmasq"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.0", pkgname:"dnsmasq", pkgver:"2.22", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.1", pkgname:"dnsmasq", pkgver:"2.22", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"dnsmasq", pkgver:"2.22", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");