CVE-2014-7912 – (Mobile Pwn2Own) Google Android DHCP Parsing Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-7912
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message. Vulnerabilidad en la función get_option en dhcp.c en las versiones de dhcpcd anteriores a la 6.2.0, usado en dhcpcd 5.x, en Android en versiones anteriores a la 5.1 y otros productos, no valida la relación entre la longitud de los campos y la cantidad de datos, lo cual permite a servidores DHCP remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) a través de un valor de grán longitud de una opción en un mensaje DHCPACK. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Android. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of the DHCP options in a DHCP ACK packet. The vulnerability is triggered when the LENGTH of an option, when added to the current read position, exceeds the actual length of the DHCP options buffer. • http://www.securitytracker.com/id/1033124 http://www.zerodayinitiative.com/advisories/ZDI-15-093 https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2014-6060
https://notcve.org/view.php?id=CVE-2014-6060
The get_option function in dhcpcd 4.0.0 through 6.x before 6.4.3 allows remote DHCP servers to cause a denial of service by resetting the DHO_OPTIONSOVERLOADED option in the (1) bootfile or (2) servername section, which triggers the option to be processed again. La función get_option en dhcpcd 4.0.0 hasta 6.x anterior a 6.4.3 permite a servidores DHCP remotos causar una denegación de servicio mediante la restablecimiento de la opción DHO_OPTIONSOVERLOADED en la sección (1) bootfile o (2) servername, lo que provoca que la opción se vuelva a procesar. • http://advisories.mageia.org/MGASA-2014-0334.html http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0 http://source.android.com/security/bulletin/2016-04-02.html http://www.mandriva.com/security/advisories?name=MDVSA-2014:171 http://www.openwall.com/lists/oss-security/2014/07/30/5 http://www.openwall.com/lists/oss-security/2014/09/01/11 http://www.securityfocus.com/bid/68970 http://www.slackware.com/security/viewer.php?l=slackware-security&y=20 • CWE-399: Resource Management Errors •