Date: Sun, 28 Jul 2013 15:30:27 +0200 From: Helmut Grohne <helmut@...divi.de> To: oss-security@...ts.openwall.com Subject: Re: ISC DHCP client and unsolicited DHCP options On Wed, Jul 17, 2013 at 10:35:52PM -0600, Kurt Seifried wrote: > Do any DHCP clients process and use options passed to them that are > not explicitly wanted? Might be worth setting up a DHCP server that > hands out every possible options (there's a lot) and see what happens > on various clients. At least on Debian, the default configuration requests the host-name option. The dhclient-script then evaluates this option and thereby enables a DHCP server to change the hostname if the current hostname is "(none)", "localhost" or a previously sent hostname. Changing the hostname can have undesired consequences such as breaking a running X11 session (can be considered remote denial of service). That is why a number of people (including me) remove host-name from the requested options. Now given the new findings, a DHCP server can still change the hostname of a connecting client by first sending an unsolicited host-name option with the current hostname and then changing the hostname in a RENEW. Guessing the current hostname should be easy in the presence of avahi or similar services. Since the bug breaks the assumption, that removing an option from the request list causes it not to be processed, and this can result in the xserver rejecting new connections, I think the issue should receive a CVE identifier. Quoting the relevant dhclient-script part: | if [ -n "$new_host_name" ]; then | current_hostname=$(hostname) | | # current host name is empty, '(none)' or 'localhost' or differs from new one from DHCP | if [ -z "$current_hostname" ] || | [ "$current_hostname" = '(none)' ] || | [ "$current_hostname" = 'localhost' ] || | [ "$current_hostname" = "$old_host_name" ]; then | if [ "$new_host_name" != "$old_host_name" ]; then | hostname "$new_host_name" | fi | fi | fi Helmut
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.