On Wed, Apr 06, 2011 at 02:01:58PM -0400, Ryan Sears wrote: > Hey guys, > > It was recently discovered (NOT by myself) that the ISC dhclient was > vulnerable to certain shell metacharacters in the hostname parameter > specified by *any* DHCP server, causing it to potentially run arbitrary > commands as root. I haven't seen anything else on it here, so I figured I'd > make everyone aware. > > There's only one real phrase that comes to mind => WTF? > > https://www.isc.org/software/dhcp/advisories/cve-2011-0997 > > http://www.h-online.com/security/news/item/DHCP-client-allows-shell-command-injection-1222805.html
By itself it is not a DHCP client issue, just the fact the DHCP clients let DHCP daemon controlled hostnames through without filtering could in turn make other programs, like e.g. X.Org, execute code when evaluating the hostname unquoted. X.Org was also fixed yesterday: http://lwn.net/Articles/437018/ (It passed -Dsomething=$hostname unquoted to a xrdb call via system()) (discovered by Sebastian Krahmer of SUSE Security.) Ciao, Marcus _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
