dhcpd dhclient-script shell security
Riad S. Wahby
rsw at jfet.org
Mon Oct 6 13:14:38 PDT 2014
grarpamp <grarpamp at gmail.com> wrote:
> Tails or OpenBSD might be interested, as would anyone really, in
> particular if the protocol sends arbitrary data/commands, which the
> client/script then fails to lint and passes out to exec/params...
Note that OpenBSD's dhclient hasn't supported a client script since
late 2012. Even when it did, /bin/sh is ksh by default, so few if any
OpenBSD systems would be vulnerable to Shellshock-via-DHCP.
I realize this addresses symptoms rather than the meat of the question
regarding dhcp clients, but there is some evidence that the OpenBSD
folks were already concerned about the attack surface of dhclient.
It's not clear to me whether their paranoia extends to rogue DHCP
servers on the network, but since that's a pretty obvious attack it
may well be the case. Might be worth asking on the relevant OpenBSD
list.
-=rsw
More information about the cypherpunks
mailing list