| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110406181923.GB24585@suse.de> Date: Wed, 6 Apr 2011 20:19:23 +0200 From: Marcus Meissner <meissner@...e.de> To: Ryan Sears <rdsears@....edu> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: ISC DHCP Client [3.0.x to 4.2.x] Arbitrary Command Execution (CVE-2011-0997) On Wed, Apr 06, 2011 at 02:01:58PM -0400, Ryan Sears wrote: > Hey guys, > > It was recently discovered (NOT by myself) that the ISC dhclient was vulnerable to certain shell metacharacters in the hostname parameter specified by *any* DHCP server, causing it to potentially run arbitrary commands as root. I haven't seen anything else on it here, so I figured I'd make everyone aware. > > There's only one real phrase that comes to mind => WTF? > > https://www.isc.org/software/dhcp/advisories/cve-2011-0997 > > http://www.h-online.com/security/news/item/DHCP-client-allows-shell-command-injection-1222805.html By itself it is not a DHCP client issue, just the fact the DHCP clients let DHCP daemon controlled hostnames through without filtering could in turn make other programs, like e.g. X.Org, execute code when evaluating the hostname unquoted. X.Org was also fixed yesterday: http://lwn.net/Articles/437018/ (It passed -Dsomething=$hostname unquoted to a xrdb call via system()) (discovered by Sebastian Krahmer of SUSE Security.) Ciao, Marcus _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists