[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dhcpd dhclient-script shell security

To: grarpamp <[email protected]>
Subject: dhcpd dhclient-script shell security
From: [email protected] (Riad S. Wahby)
Date: Mon, 6 Oct 2014 16:14:38 -0400
Cc: [email protected]
In-reply-to: <CAD2Ti28P4RC4EdxDvFxXMLC4Kt11uZHfPw_JswyJX7XkiDjRug@mail.gmail.com>
References: <CAD2Ti28P4RC4EdxDvFxXMLC4Kt11uZHfPw_JswyJX7XkiDjRug@mail.gmail.com>

grarpamp <[email protected]> wrote:
> Tails or OpenBSD might be interested, as would anyone really, in
> particular if the protocol sends arbitrary data/commands, which the
> client/script then fails to lint and passes out to exec/params...

Note that OpenBSD's dhclient hasn't supported a client script since
late 2012. Even when it did, /bin/sh is ksh by default, so few if any
OpenBSD systems would be vulnerable to Shellshock-via-DHCP.

I realize this addresses symptoms rather than the meat of the question
regarding dhcp clients, but there is some evidence that the OpenBSD
folks were already concerned about the attack surface of dhclient.
It's not clear to me whether their paranoia extends to rogue DHCP
servers on the network, but since that's a pretty obvious attack it
may well be the case. Might be worth asking on the relevant OpenBSD
list.

-=rsw

References:
- dhcpd dhclient-script shell security
  - From: [email protected] (grarpamp)

Prev by Date: Radical-safest TLDs in 2014
Next by Date: GoldBug SF projects [was: Bittorrent Bleep]
Previous by thread: dhcpd dhclient-script shell security
Next by thread: GoldBug SF projects [was: Bittorrent Bleep]
Index(es):
- Date
- Thread