Re: ISC DHCP Client [3.0.x to 4.2.x] Arbitrary Command Execution (CVE-2011-0997)

[Marcus Meissner <meissner () suse de>]

On Wed, Apr 06, 2011 at 02:01:58PM -0400, Ryan Sears wrote:
> Hey guys,
>
> It was recently discovered (NOT by myself) that the ISC dhclient was vulnerable to certain shell metacharacters in 
> the hostname parameter specified by *any* DHCP server, causing it to potentially run arbitrary commands as root. I 
> haven't seen anything else on it here, so I figured I'd make everyone aware. 
>
> There's only one real phrase that comes to mind => WTF?
>
> https://www.isc.org/software/dhcp/advisories/cve-2011-0997
>
> http://www.h-online.com/security/news/item/DHCP-client-allows-shell-command-injection-1222805.html

By itself it is not a DHCP client issue, just the fact the DHCP clients
let DHCP daemon controlled hostnames through without filtering could in turn
make other programs, like e.g. X.Org, execute code when evaluating the hostname unquoted.

X.Org was also fixed yesterday: http://lwn.net/Articles/437018/
(It passed -Dsomething=$hostname unquoted to a xrdb call via system())

(discovered by Sebastian Krahmer of SUSE Security.)

Ciao, Marcus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/