Home page logo

oss-sec logo oss-sec mailing list archives

Re: ISC DHCP client and unsolicited DHCP options
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 13 Aug 2013 23:08:54 +0200

On Sun, 28 Jul 2013 15:30:27 +0200 Helmut Grohne wrote:

At least on Debian, the default configuration requests the host-name
option. The dhclient-script then evaluates this option and thereby
enables a DHCP server to change the hostname if the current hostname
is "(none)", "localhost" or a previously sent hostname. Changing the
hostname can have undesired consequences such as breaking a running
X11 session (can be considered remote denial of service).

That is why a number of people (including me) remove host-name from
the requested options. Now given the new findings, a DHCP server can
still change the hostname of a connecting client by first sending an
unsolicited host-name option with the current hostname and then
changing the hostname in a RENEW. Guessing the current hostname
should be easy in the presence of avahi or similar services.

The dhclient-script in dhcp packages in recent Fedora and Red Hat
Enterprise Linux versions allow administrator to define hook scripts
which are sourced by the dhclient-script.  Those hooks can unset
environment variables set by dhclient before they are processed by the
dhclient-script.  Not sure if other distros may want to add similar


But as mentioned before, NetworkManager does its own processing and
does not use the standard dhclient-script.

Tomas Hoger / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]