grarpamp <grarpamp@gmail.com> wrote:
Tails or OpenBSD might be interested, as would anyone really, in particular if the protocol sends arbitrary data/commands, which the client/script then fails to lint and passes out to exec/params...
Note that OpenBSD's dhclient hasn't supported a client script since late 2012. Even when it did, /bin/sh is ksh by default, so few if any OpenBSD systems would be vulnerable to Shellshock-via-DHCP. I realize this addresses symptoms rather than the meat of the question regarding dhcp clients, but there is some evidence that the OpenBSD folks were already concerned about the attack surface of dhclient. It's not clear to me whether their paranoia extends to rogue DHCP servers on the network, but since that's a pretty obvious attack it may well be the case. Might be worth asking on the relevant OpenBSD list. -=rsw