Operating System:

[NetBSD]

Published:

13 July 2000

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2000.169 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================

              ESB-2000.169 -- NetBSD Security Advisory 2000-008
                           dhclient vulnerability
                                14 July 2000

===========================================================================

	AusCERT Security Bulletin Summary
	---------------------------------

Product:		dhclient
Vendor:			NetBSD
Operating System:	NetBSD

Platform:		N/A

Impact:			Root Compromise
			Execute Arbitrary Code/Commands

Access Required:	Remote 

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2000-008
                 =================================

Topic:		dhclient vulnerability
Version:	all.
Severity:	possible remote root access from rogue dhcp server.


Abstract
========

The DHCP client program, dhclient(8), did not correctly handle DHCP
options it receives in DHCP response messages, possibly permitting a
rogue dhcp server to send maliciously formed options which resulted in
a remote root compromise.

Technical Details
=================

dhclient uses a shell script, /etc/dhclient-script, to make changes to
system configurations based on configuration information received from
a DHCP server.  Unfortunately, dhcp options values were passed from
dhclient to the script without sufficient quoting.

Maliciously formed messages could therefore exploit shell features to
trick the script into executing arbitrary shell commands.  Since
dhclient-script needs to run as root to reconfigure system interfaces,
these arbitrary commands would also be executed as root.


Solutions and Workarounds
=========================

Systems running NetBSD-1.4.2 and prior may be vulnerable.  Systems
running NetBSD-current from before 20000625 or NetBSD-release from
before 20000629 may be vulnerable.

If your system does not and will never run the "/sbin/dhclient" daemon
to dynamically obtain an IP address, your system is not vulnerable to
this problem.  

The command:

	% ps auxww | grep dhclient

will show if dhclient is running on a system.

Systems running versions of NetBSD prior to 1.4 should be upgraded to
NetBSD 1.4.2 or a newer release.

If you are running any NetBSD 1.4.x release, you should download the
patch listed below, and apply it to src/usr.sbin/dhcp/client/options.c
using the patch(1) command.  If you are running NetBSD-current or
NetBSD-release, you should update your source tree (with either sup or
anonymous CVS).

In both cases you should then rebuild and reinstall DHCP:

	% cd src/usr.sbin/dhcp
	% make all
	# make install

You should then kill off and restart any existing dhclient processes.

Patch for all releases of 1.4.x:

    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-dhclient

Thanks To
=========

Todd Fries and others of OpenBSD (for discovery of the problem),
Jun-ichiro Hagino <itojun@netbsd.org>, and Ted Lemon of ISC.

Revision History
================

	2000/06/28 - Initial version.
	2000/07/08 - Released

More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-008.txt,v 1.2 2000/07/08 21:03:10 sommerfeld Exp $

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOWnDdj5Ru2/4N2IFAQHYlwQAm7N9Y0O7pu2QGafrXr684kWwht5srQVk
HY8HXNp4H10bhR+Oh6G1u9dEObRAa1tKa2kRe2WJdBF40eoDVmwuU8wBTa6CUN4r
NDaN2Pc55TBfnqdVGUIbPahbuq8NebKfySxsH/5qYlY1vfPTm8bcKGxHjsWAWtGJ
k7OealYiUvs=
=KghD
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOXXUAyh9+71yA2DNAQEyOwP/S5k5jYiZza3XTTpC6+/9GbTmTdcGJ8WJ
+n1d5+nZTZER6DpAkX1cms0TJxhcHfEQkgcLXi/ZcvS29vQDXgc7F7ztSjX3h3aT
NoJRrPAt6rMxQftdx0V6Nsc4NmCvTemtnqRXWnCus13XTYaTjnn6Uru/nXTOHW3d
d7gK1ldg2cA=
=+sII
-----END PGP SIGNATURE-----