SPECIAL STATE PROTECTION SERVICE
SPECIAL COMMUNICATION AND INFORMATION
SECURITY STATE AGENCY

COMPUTER EMERGENCY
RESPONSE CENTER

Report Incident

Bugtrack

  • Name of Program: [NetBSD] dhclient: Execute arbitrary code/commands - Remote/unauthenticated
  • Developer website:
  • Thread: High
  • Overview:

     ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. This may result in execution of exploit code on the client.

    For more details, please see CVE-2011-0997.

  • Solution:

    dhclient(1) exports many variables to the environment, some of which are strings provided by the dhcp server and were not being sanity checked for shell metacharacters. Although in the current implementation of /sbin/dhclient-script "eval" is only used in ifconfig(8) commands with arguments from the environment that cannot be set to strings by the dhcp server ($interface, $medium are set by the client;
    $new_ip_address, $new_netmask_arg, $new_broadcast_arg, $alias_ip_address$old_ip_address are IP addresses), one should either patch dhclient
    to sanitize all variables or add the following line to /sbin/dhclient-script at the beginning of the set_hostname() function:

    new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"

    The reason to do this, is that unless the hostname is sanitized, a hostname with shell metacharacters can be set on the system, and other scripts might break that use the compromised hostname.

    In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers.

    Further workarounds: disable dhclient(8) from the base OS and use the fixed isc-dhclient4 package from pkgsrc.

    The following instructions describe how to upgrade your dhclient binaries by updating your source tree and rebuilding and installing a new version of dhclient.

    • HEAD - src/dist/dhcp/client/dhclient.c - 1.21
    • netbsd-5-0 - src/dist/dhcp/client/dhclient.c - 1.19.12.2
    • netbsd-5-1 - src/dist/dhcp/client/dhclient.c - 1.19.8.1.2.1
    • netbsd-5 - src/dist/dhcp/client/dhclient.c - 1.19.8.2
    • netbsd-4-0 - src/dist/dhcp/client/dhclient.c - 1.18.12.2
    • netbsd-4 - src/dist/dhcp/client/dhclient.c - 1.18.2.2

    The following instructions briefly summarize how to update and recompile dhclient. In these instructions, replace:

    VERSION - with the fixed version from the appropriate CVS branch (from the above table)

    FILE - with the name of the file from the above table

    To update from CVS, re-build, and re-install dhclient:

    # cd src
    # cvs update -d -P -r VERSION FILE
    # cd usr.sbin/dhcp
    # make USETOOLS=no cleandir dependall
    # cd client
    # make USETOOLS=no install