DHCP Is Hard

Dive into the complexities of DHCP security in this 48-minute conference talk from Hack In The Box Security Conference. Explore critical vulnerabilities in popular DHCP implementations, including dnsmasq (CVE-2017-14493) and ISC DHCP (CVE-2018-5733). Examine the architecture of ISC DHCP and systemd networkd, uncovering potential security flaws. Learn about refcount overflow, infoleak vulnerabilities, and heap overflow techniques leading to arbitrary write. Discover how to exploit these vulnerabilities through client-server interactions and tcache poisoning. Gain insights into the challenges of DHCP security and understand the implications for network infrastructure.

Intro
dnsmasq - CVE-2017-14493
ISC DHCP - CVE-2018-5733
Refcount Overflow
ISC DHCP - Architecture
ISC DHCP - Real Architecture
Systemd networkd (CVE-2018-15688)
Infoleak-client_parse_message
Triggering the Infoleak: server - client
Triggering the Infoleak: client - server
Leaking a glibc pointer
Heap Overflow to Arbitrary Write
tcache Poisoning
Putting it all together
Conclusion