tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection

Hash: SHA1

                 NetBSD Security Advisory 2011-005

Topic:          ISC dhclient does not strip shell meta-characters in
                environment variables passed to scripts.

Version:        NetBSD-current:         affected
                NetBSD 5.1:             affected
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 isc-dhclient4 package prior to

Severity:       Arbitrary Script Execution

Fixed:          NetBSD-current:         April 6th, 2011
                NetBSD-5-0 branch:      April 7th, 2011
                NetBSD-5 branch:        April 7th, 2011
                NetBSD-4-0 branch:      April 7th, 2011
                NetBSD-4 branch:        April 7th, 2011
                pkgsrc 2011Q1:          April 11th, 2011


dhclient doesn't strip or escape certain shell meta-characters in
dhcpd responses, allowing a rogue server or party with with escalated
privileges on the server to cause remote code execution on the client. 

This vulnerability has been assigned CVE-2011-0997 and CERT
Vulnerability Note VU#107886.

Technical Details

ISC dhclient did not strip or escape certain shell meta-characters
in responses from the dhcp server (like hostname) before passing
the responses on to dhclient-script. This may result in execution
of exploit code on the client. 

For more details, please see CVE-2011-0997.

Solutions and Workarounds

dhclient(1) exports many variables to the environment, some of
which are strings provided by the dhcp server and were not being sanity
checked for shell metacharacters. Although in the current implementation
of /sbin/dhclient-script "eval" is only used in ifconfig(8) commands
with arguments from the environment that cannot be set to strings
by the dhcp server ($interface, $medium are set by the client;
$new_ip_address, $new_netmask_arg, $new_broadcast_arg, $alias_ip_address,
$old_ip_address are IP addresses), one should either patch dhclient
to sanitize all variables or add the following line to
/sbin/dhclient-script at the beginning of the set_hostname()

new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"

The reason to do this, is that unless the hostname is sanitized,
a hostname with shell metacharacters can be set on the system, and
other scripts might break that use the compromised hostname.

In environments where filters/acls can be put into place to limit
clients to accessing only legitimate dhcp servers, this will protect
clients from rogue dhcp servers deliberately trying to exploit this
bug. However, this will not protect from compromised servers.

Further workarounds: disable dhclient(8) from the base OS and use
the fixed isc-dhclient4 package from pkgsrc.

The following instructions describe how to upgrade your dhclient
binaries by updating your source tree and rebuilding and
installing a new version of dhclient.

  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/dist/dhcp/client/dhclient.c         1.21
  netbsd-5-0    src/dist/dhcp/client/dhclient.c
  netbsd-5-1    src/dist/dhcp/client/dhclient.c
  netbsd-5      src/dist/dhcp/client/dhclient.c
  netbsd-4-0    src/dist/dhcp/client/dhclient.c
  netbsd-4      src/dist/dhcp/client/dhclient.c

The following instructions briefly summarize how to update and
recompile dhclient. In these instructions, replace:

  VERSION  with the fixed version from the appropriate CVS branch
           (from the above table)
  FILE     with the name of the file from the above table

To update from CVS, re-build, and re-install dhclient:
        # cd src
        # cvs update -d -P -r VERSION FILE
        # cd usr.sbin/dhcp
        # make USETOOLS=no cleandir dependall
        # cd client
        # make USETOOLS=no install

Thanks To

Sebastian Krahmer and Marius Tomaschewski, SuSE Security Team, for
discovering and reporting the software flaw.

Revision History

        2011-04-26      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-005.txt,v 1.2 2011/04/26 16:56:52 tonnerre Exp $
Version: GnuPG v1.4.11 (NetBSD)


Home | Main Index | Thread Index | Old Index