Windows DHCP Client Service Remote Buffer Overflow

By | August 29, 2006

CybSec has identified a remote buffer overflow vulnerability in Microsoft Windows DHCP-Client Service. The vulnerability specifically exists in the way the dhcpcsvc.dll system library processes DHCP messages.

To extend the limit of 255 bytes defined by the length octet of the DHCP Option Field, Microsoft uses the private Option Code 0xFA (250), allowing the use of larger option values.

In the packet previously described, a NetBIOS over TCP/IP Scope option is being used, consisting of 264 bytes (including the NULL), effectively extending the limit of 255 bytes per Option.

Read the Advisory

Leave a Reply