Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== ESB-2000.169 -- NetBSD Security Advisory 2000-008 dhclient vulnerability 14 July 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dhclient Vendor: NetBSD Operating System: NetBSD Platform: N/A Impact: Root Compromise Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-008 ================================= Topic: dhclient vulnerability Version: all. Severity: possible remote root access from rogue dhcp server. Abstract ======== The DHCP client program, dhclient(8), did not correctly handle DHCP options it receives in DHCP response messages, possibly permitting a rogue dhcp server to send maliciously formed options which resulted in a remote root compromise. Technical Details ================= dhclient uses a shell script, /etc/dhclient-script, to make changes to system configurations based on configuration information received from a DHCP server. Unfortunately, dhcp options values were passed from dhclient to the script without sufficient quoting. Maliciously formed messages could therefore exploit shell features to trick the script into executing arbitrary shell commands. Since dhclient-script needs to run as root to reconfigure system interfaces, these arbitrary commands would also be executed as root. Solutions and Workarounds ========================= Systems running NetBSD-1.4.2 and prior may be vulnerable. Systems running NetBSD-current from before 20000625 or NetBSD-release from before 20000629 may be vulnerable. If your system does not and will never run the "/sbin/dhclient" daemon to dynamically obtain an IP address, your system is not vulnerable to this problem. The command: % ps auxww | grep dhclient will show if dhclient is running on a system. Systems running versions of NetBSD prior to 1.4 should be upgraded to NetBSD 1.4.2 or a newer release. If you are running any NetBSD 1.4.x release, you should download the patch listed below, and apply it to src/usr.sbin/dhcp/client/options.c using the patch(1) command. If you are running NetBSD-current or NetBSD-release, you should update your source tree (with either sup or anonymous CVS). In both cases you should then rebuild and reinstall DHCP: % cd src/usr.sbin/dhcp % make all # make install You should then kill off and restart any existing dhclient processes. Patch for all releases of 1.4.x: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-dhclient Thanks To ========= Todd Fries and others of OpenBSD (for discovery of the problem), Jun-ichiro Hagino <itojun@netbsd.org>, and Ted Lemon of ISC. Revision History ================ 2000/06/28 - Initial version. 2000/07/08 - Released More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-008.txt,v 1.2 2000/07/08 21:03:10 sommerfeld Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOWnDdj5Ru2/4N2IFAQHYlwQAm7N9Y0O7pu2QGafrXr684kWwht5srQVk HY8HXNp4H10bhR+Oh6G1u9dEObRAa1tKa2kRe2WJdBF40eoDVmwuU8wBTa6CUN4r NDaN2Pc55TBfnqdVGUIbPahbuq8NebKfySxsH/5qYlY1vfPTm8bcKGxHjsWAWtGJ k7OealYiUvs= =KghD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOXXUAyh9+71yA2DNAQEyOwP/S5k5jYiZza3XTTpC6+/9GbTmTdcGJ8WJ +n1d5+nZTZER6DpAkX1cms0TJxhcHfEQkgcLXi/ZcvS29vQDXgc7F7ztSjX3h3aT NoJRrPAt6rMxQftdx0V6Nsc4NmCvTemtnqRXWnCus13XTYaTjnn6Uru/nXTOHW3d d7gK1ldg2cA= =+sII -----END PGP SIGNATURE-----