CVE-2014-7912

(Mobile Pwn2Own) Google Android DHCP Parsing Remote Code Execution Vulnerability

Severity Score

6.8

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message.

Vulnerabilidad en la función get_option en dhcp.c en las versiones de dhcpcd anteriores a la 6.2.0, usado en dhcpcd 5.x, en Android en versiones anteriores a la 5.1 y otros productos, no valida la relación entre la longitud de los campos y la cantidad de datos, lo cual permite a servidores DHCP remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) a través de un valor de grán longitud de una opción en un mensaje DHCPACK.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Android. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of the DHCP options in a DHCP ACK packet. The vulnerability is triggered when the LENGTH of an option, when added to the current read position, exceeds the actual length of the DHCP options buffer. An attacker can leverage this vulnerability to execute code on the device.

*Credits: Jüri Aedla

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-10-06 CVE Reserved
2015-03-12 CVE Published
2024-08-06 CVE Updated
2024-10-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (3)

URL	Tag	Source
http://www.securitytracker.com/id/1033124	Vdb Entry
http://www.zerodayinitiative.com/advisories/ZDI-15-093	X_refsource_misc
https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dhcpcd Project Search vendor "Dhcpcd Project"	Dhcpcd Search vendor "Dhcpcd Project" for product "Dhcpcd"	<= 6.1.0 Search vendor "Dhcpcd Project" for product "Dhcpcd" and version " <= 6.1.0"	-	Affected	in	Google Search vendor "Google"	Android Search vendor "Google" for product "Android"	*	-	Safe