dhcpd dhclient-script shell security
@ioerror says: Has anyone written a captive portal aware, privilege separated, uid zero free, security focused dhcp client in a type safe language?
One could write/compile the script in any language, use sudo within or change the perms and/or syscall uid checks for read-writing the tap, 67/68 port binding, ifconfig, route, etc to permit any arbitrary uid, and run it all in a jail. Some capabilities already exist in OS's today. Portal awareness would be a different scope. Tails or OpenBSD might be interested, as would anyone really, in particular if the protocol sends arbitrary data/commands, which the client/script then fails to lint and passes out to exec/params... Also from twitter: http://www.codelabs.ch/adhcp/
grarpamp <grarpamp@gmail.com> wrote:
Tails or OpenBSD might be interested, as would anyone really, in particular if the protocol sends arbitrary data/commands, which the client/script then fails to lint and passes out to exec/params...
Note that OpenBSD's dhclient hasn't supported a client script since late 2012. Even when it did, /bin/sh is ksh by default, so few if any OpenBSD systems would be vulnerable to Shellshock-via-DHCP. I realize this addresses symptoms rather than the meat of the question regarding dhcp clients, but there is some evidence that the OpenBSD folks were already concerned about the attack surface of dhclient. It's not clear to me whether their paranoia extends to rogue DHCP servers on the network, but since that's a pretty obvious attack it may well be the case. Might be worth asking on the relevant OpenBSD list. -=rsw
participants (2)
-
grarpamp -
Riad S. Wahby