Contributed by ericj on from the fix-dhclient-before-using dept.
> Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP client.
Yes, I can confirm that as of 6:23am on June 23rd after several hours of hacking around the sources I had the following dhcpd config running on my own machine's private network for testing:
shared-network LOCAL-NET {
option domain-name "my.`echo hi > /tmp/oops`.domain";
option domain-name-servers 192.168.1.3, 192.168.1.5;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
}
... and when dhclient finished running I had a nice little present in /tmp/ named 'oops' that contained the string 'hi' ..
You did not miss my post to BugTraq because this is my first post. After conferring with my collegues, we decided the first priority was to get a fix .. then to notify people. I am sorry you had to hear about this 4th hand, we really wanted people to know about it and the fix at the same time.
As it turned out, between scheduled talks, other distractions, and the net heading downstream early in the afternoon .. we were not able to complete a fix and notify people before posting to bugtraq while in San Diego.
While developed independently, we believe your fix will also work.
We have now had time to complete the patch, which is in the cvs tree, and we have made source patches available for releases of OpenBSD 2.5 - 2.7.
Please visit http://www.openbsd.org/errata.hml#dhclient for links to the patches for OpenBSD.
"
(Comments are closed)
By jcs () on
"A serious bug in dhclient(8) could allow strings from a malicious dhcp server to be executed in the shell as root." A malicious dhcp server? Isn't that like a malicious time server? or a malicious bootp server? I think if you have malicious servers on your network that provide key services to other machines, you have bigger problems on your hands. No?