Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Advisory: Open DHCP Server (V1.75/ V0.1 Beta) Privilege Escalation (CVE-2020-26131)

Summary

Product: Open DHCP Server
Affected versions:

  • Open DHCP Server (Regular) - V1.75
  • Open DHCP Server (LDAP Based) - V0.1Beta

Vendor: Achal Dhir
Fixed version: No response from vendor
Tested versions:

  • Open DHCP Server (Regular) - V1.75
  • Open DHCP Server (LDAP Based) - V0.1Beta

CVE Reference: CVE-2020-26131
CWE Reference: CWE-269

Problem Description

The folder permissions on the default installation directory %SYSTEMDRIVE%\OpenDHCPServer\ (Regular) or %SYSTEMDRIVE%\OpenDHCPLdap\ (LDAP Based) allows anyone in the "Authenticated Users" group to modify its contents. To exploit this vulnerability, a local attacker can replace the OpenDHCPServer.exe or the OpenDHCPLdap.exe with a crafted binary with the same name. Afterwards, if the service is restarted, the attacker's code will be executed in the context of system. The service gets automatically started after a reboot.

Impact

By replacing the binary an attacker can execute code, allowing potential privilege escalation to system.

Workaround

It is advised to change the installation directory to %SYSTEMDRIVE%\Program Files\ or %SYSTEMDRIVE%\Program Files(x86)\. By default, these directories allow "Authenticated Users" to only read and execute the directory contents.

Notes

The issue was reported to the vendor, but there was no response.

Disclosure Timeline

2020-07-28: Vulnerability discovered
2020-07-28: Vulnerability reported to vendor via Sourceforge
2020-09-29: CVE reserved
2020-10-26: 90-day disclosure deadline passed
2020-10-28: Published advisory

References

https://sourceforge.net/projects/dhcpserver/

Changes

2020-11-30: Corrected CWE

EOF