-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-008 ================================= Topic: dhclient vulnerability Version: All releases before 2000/07/10 Severity: possible remote root access from rogue dhcp server. Abstract ======== The DHCP client program, dhclient(8), did not correctly handle DHCP options it receives in DHCP response messages, possibly permitting a rogue dhcp server to send maliciously formed options which resulted in a remote root compromise. Technical Details ================= dhclient uses a shell script, /etc/dhclient-script, to make changes to system configurations based on configuration information received from a DHCP server. Unfortunately, dhcp options values were passed from dhclient to the script without sufficient quoting. Maliciously formed messages could therefore exploit shell features to trick the script into executing arbitrary shell commands. Since dhclient-script needs to run as root to reconfigure system interfaces, these arbitrary commands would also be executed as root. Solutions and Workarounds ========================= Systems running formal releases of NetBSD-1.4.2 and prior may be vulnerable. Systems running versions of NetBSD prior to 1.4 should be upgraded to NetBSD 1.4.2 before applying the fixes described here. If your system does not and will never run the "/sbin/dhclient" daemon to dynamically obtain an IP address, your system is not vulnerable to this problem. The command: % ps auxww | grep dhclient will show if dhclient is running on a system. If you are running any NetBSD 1.4.x release, you should download the patch listed below, and apply it to src/usr.sbin/dhcp/client/options.c using the patch(1) command. If you are running NetBSD-current or NetBSD-release, you should update your source tree (with either sup or anonymous CVS) to a version containing the fix. The problem was corrected on the NetBSD-current mainline on 2000/06/24, on the netbsd-1-4 release branch on 2000/06/29, and on the netbsd-1-5 release branch on 2000/07/10. In all cases you should then rebuild and reinstall DHCP: % cd src/usr.sbin/dhcp % make all # make install You should then kill off and restart any existing dhclient processes. Patch for all releases of 1.4.x: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-dhclient Thanks To ========= Todd Fries and others of OpenBSD (for discovery of the problem), Jun-ichiro Hagino , and Ted Lemon of ISC. Revision History ================ 2000/06/28 - Initial version. 2000/07/08 - Released 2000/07/10 - Clarified correction dates for 1.4 vs 1.5 vs -current. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-008.txt,v 1.3 2000/07/10 23:11:06 sommerfeld Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWpYLD5Ru2/4N2IFAQEVJQP/Wm2Hvc3Ow8eYTyTyEph51tRU0Z3KY5CP yyF5dSCB30nVoJZmuYHIIOGRfbjxEqxb+5qQeF8vyJMr3ujbqIbxWuTHxBiw6bty yFI6LYr/Bq57t+I7VdyZq6KGXBthe5RpXyp4g/5NudCz6/g+/HcHrld6Arwt9jmR qBY8JohUkBo= =woFK -----END PGP SIGNATURE-----