CVE-1999-0798

Step 1: Target Identification: The attacker identifies systems running bootpd on vulnerable operating systems (OpenBSD, FreeBSD, Linux).

Step 2: Crafted Packet Creation: The attacker crafts a malicious DHCP/BOOTP request with a malformed header type. This header is designed to be larger than the buffer allocated to store it.

Step 3: Packet Transmission: The attacker sends the crafted DHCP/BOOTP request to the target system's bootpd service, typically on UDP port 67 or 68.

Step 4: Buffer Overflow Trigger: The bootpd service receives and attempts to process the malicious request. Due to the lack of bounds checking, the oversized header data overflows the allocated buffer.

Step 5: Code Execution: The overflow overwrites critical memory areas, such as the return address on the stack. The attacker's crafted payload, often shellcode, is then executed when the function returns, granting the attacker control of the system.

The vulnerability stems from a buffer overflow in the bootpd service when handling a malformed header type in a DHCP/BOOTP request. The service fails to properly validate the size of the incoming data, allowing an attacker to send a crafted packet with an oversized header. This overwrites adjacent memory regions, including potentially the stack, enabling the attacker to overwrite the return address of a function and redirect execution to arbitrary code, leading to remote code execution. The root cause is a lack of bounds checking on the size of the incoming header data before it is copied into a fixed-size buffer. Specifically, the code likely uses functions like strcpy or memcpy without verifying the size of the source data against the buffer's capacity.