OpenBSD Journal

fix dhclient before using

Contributed by ericj on from the fix-dhclient-before-using dept.

Todd T. Fries writes : "This is a response to Ted Lemon's bugtraq post. I don't see it yet, aleph1 must be still asleep, but so that the community knows, here it is:

> Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP client.

Yes, I can confirm that as of 6:23am on June 23rd after several hours of hacking around the sources I had the following dhcpd config running on my own machine's private network for testing:

    shared-network LOCAL-NET {
        option  domain-name "my.`echo hi > /tmp/oops`.domain";
        option  domain-name-servers,;

        subnet netmask {
                option routers;


... and when dhclient finished running I had a nice little present in /tmp/ named 'oops' that contained the string 'hi' ..

You did not miss my post to BugTraq because this is my first post. After conferring with my collegues, we decided the first priority was to get a fix .. then to notify people. I am sorry you had to hear about this 4th hand, we really wanted people to know about it and the fix at the same time.

As it turned out, between scheduled talks, other distractions, and the net heading downstream early in the afternoon .. we were not able to complete a fix and notify people before posting to bugtraq while in San Diego.

While developed independently, we believe your fix will also work.

We have now had time to complete the patch, which is in the cvs tree, and we have made source patches available for releases of OpenBSD 2.5 - 2.7.

Please visit for links to the patches for OpenBSD.

(Comments are closed)

  1. By jcs () on

    012: SECURITY FIX: June 24, 2000
    "A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root." A malicious dhcp server? Isn't that like a malicious time server? or a malicious bootp server? I think if you have malicious servers on your network that provide key services to other machines, you have bigger problems on your hands. No?


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]