CVSS: 6.8EPSS: 1%CPEs: 2EXPL: 0CVE-2014-7912 – (Mobile Pwn2Own) Google Android DHCP Parsing Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-7912
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message. Vulnerabilidad en la función get_option en dhcp.c en las versiones de dhcpcd anteriores a la 6.2.0, usado en dhcpcd 5.x, en Android en versiones anteriores a la 5.1 y otros productos, no valida la relación entre la longitud de los campos y la cantidad de datos, lo cual permite a servidores DHCP remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) a través de un valor de grán longitud de una opción en un mensaje DHCPACK. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Android. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of the DHCP options in a DHCP ACK packet. The vulnerability is triggered when the LENGTH of an option, when added to the current read position, exceeds the actual length of the DHCP options buffer. • http://www.securitytracker.com/id/1033124 http://www.zerodayinitiative.com/advisories/ZDI-15-093 https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 9%CPEs: 1EXPL: 0CVE-2012-2152
https://notcve.org/view.php?id=CVE-2012-2152
Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long packet. Desbordamiento de búfer basado en pila en el método de get_packet socket.c en dhcpcd v3.2.3 permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de un paquete de gran longitud. • http://www.debian.org/security/2012/dsa-2498 http://www.openwall.com/lists/oss-security/2012/05/02/4 http://www.openwall.com/lists/oss-security/2012/05/02/5 http://www.securityfocus.com/bid/53354 https://bugzilla.novell.com/show_bug.cgi?id=760334 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2011-0996
https://notcve.org/view.php?id=CVE-2011-0996
dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. dhcpcd antes de v5.2.12 permite a atacantes remotos ejecutar comandos de su elección vía metacaracteres encubiertos en un nombre de host obtenido a partir de un mensaje DHCP. • http://roy.marples.name/archives/dhcpcd-discuss/2011/0326.html http://roy.marples.name/projects/dhcpcd/changeset/c317b39786ac6c3a939dc711db7c78cf099859fd http://roy.marples.name/projects/dhcpcd/timeline http://secunia.com/advisories/44070 http://security.gentoo.org/glsa/glsa-201301-04.xml http://www.securityfocus.com/bid/47272 https://bugzilla.novell.com/show_bug.cgi?id=675052 https://exchange.xforce.ibmcloud.com/vulnerabilities/66641 • CWE-20: Improper Input Validation •