Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: ISC DHCP client and unsolicited DHCP options
From: Helmut Grohne <helmut () subdivi de>
Date: Sun, 28 Jul 2013 15:30:27 +0200

On Wed, Jul 17, 2013 at 10:35:52PM -0600, Kurt Seifried wrote:
Do any DHCP clients process and use options passed to them that are
not explicitly wanted? Might be worth setting up a DHCP server that
hands out every possible options (there's a lot) and see what happens
on various clients.

At least on Debian, the default configuration requests the host-name option.
The dhclient-script then evaluates this option and thereby enables a DHCP
server to change the hostname if the current hostname is "(none)", "localhost"
or a previously sent hostname. Changing the hostname can have undesired
consequences such as breaking a running X11 session (can be considered remote
denial of service).

That is why a number of people (including me) remove host-name from the
requested options. Now given the new findings, a DHCP server can still change
the hostname of a connecting client by first sending an unsolicited host-name
option with the current hostname and then changing the hostname in a RENEW.
Guessing the current hostname should be easy in the presence of avahi or
similar services.

Since the bug breaks the assumption, that removing an option from the
request list causes it not to be processed, and this can result in the
xserver rejecting new connections, I think the issue should receive a
CVE identifier.

Quoting the relevant dhclient-script part:
| if [ -n "$new_host_name" ]; then
|     current_hostname=$(hostname)
| 
|     # current host name is empty, '(none)' or 'localhost' or differs from new one from DHCP
|     if [ -z "$current_hostname" ] ||
|        [ "$current_hostname" = '(none)' ] ||
|        [ "$current_hostname" = 'localhost' ] ||
|        [ "$current_hostname" = "$old_host_name" ]; then
|        if [ "$new_host_name" != "$old_host_name" ]; then
|            hostname "$new_host_name"
|        fi
|     fi
| fi

Helmut


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault