COMMAND
iscdhcp
SYSTEMS AFFECTED
ISC DHCP client v2
PROBLEM
Pavel Kankovsky found following. The official fix for the recent
ISC DHCP client vulnerability is not as thorough as it should be.
For more info see:
http://oliver.efri.hr/~crv/security/bugs/Others/iscdhcp.html
If you diff version 2.0 and 2.0pl1 you can see the only
substantial change to the code happened in pretty_print_option()
in common/options.c. The function is used when data recieved from
the server are saved to dhclient.leases or passed to
dhclient-script. Now, it escapes suspicious characters when it
formats text options.
Good. (BTW the code does not follow the old "allow only characters
known to be safe" rule, so some problems might still lurk in the
dark but this is not the point of my mail.)
Unfortunately, when you look at client/dhclient.c, you can see
that not every value is processed with pretty_print_option() or
something similar. Here is an example from script_write_params():
if (lease -> filename) {
fprintf (scriptFile, "%sfilename=\"%s\";\n",
prefix, lease -> filename);
fprintf (scriptFile, "export %sfilename\n", prefix);
}
if (lease -> server_name) {
fprintf (scriptFile, "%sserver_name=\"%s\";\n",
prefix, lease -> server_name);
fprintf (scriptFile, "export %sserver_name\n", prefix);
}
In fact, lease->filename and lease->server_name are used as they
have come from the network. Ergo, we can conclude that anyone
controlling the DHCP/BOOTP server or being able to spoof the
replies can easily break into any machine using ISC DHCP client of
any version up to and including 2.0pl2 (unless it is a very recent
OpenBSD version...see their cvsweb for details).
It should be stress that this is only a problem in the DHCP
client, not in the DHCP server.
SOLUTION
This is a rather ugly patch that might (or might not) fix the bug.
Please note that 15 and 67 are more or less two arbitrary numbers
to make pretty_print_options() happy and use the right format.
--- client/dhclient.c.orig Wed Jan 26 13:51:11 2000
+++ client/dhclient.c Wed Jul 12 21:28:31 2000
@@ -902,7 +902,7 @@
break;
lease -> server_name = malloc (len + 1);
if (!lease -> server_name) {
- warn ("dhcpoffer: no memory for filename.\n");
+ warn ("dhcpoffer: no memory for server name.\n");
free_client_lease (lease);
return (struct client_lease *)0;
} else {
@@ -1845,10 +1845,14 @@
piaddr (lease -> address));
if (lease -> filename)
fprintf (leaseFile, " filename \"%s\";\n",
- lease -> filename);
+ pretty_print_option(67 /* bootfile-name option */,
+ lease -> filename, strlen(lease -> filename),
+ 0, 0));
if (lease -> server_name)
fprintf (leaseFile, " server-name \"%s\";\n",
- lease -> server_name);
+ pretty_print_option(15 /* domain name option */,
+ lease -> server_name, strlen(lease -> server_name),
+ 0, 0));
if (lease -> medium)
fprintf (leaseFile, " medium \"%s\";\n",
lease -> medium -> string);
@@ -1986,13 +1990,17 @@
}
if (lease -> filename) {
- fprintf (scriptFile, "%sfilename=\"%s\";\n",
- prefix, lease -> filename);
+ fprintf (scriptFile, "%sfilename=\"%s\";\n", prefix,
+ pretty_print_option(67 /* bootfile-name option */,
+ lease -> filename, strlen(lease -> filename),
+ 0, 0));
fprintf (scriptFile, "export %sfilename\n", prefix);
}
if (lease -> server_name) {
- fprintf (scriptFile, "%sserver_name=\"%s\";\n",
- prefix, lease -> server_name);
+ fprintf (scriptFile, "%sserver_name=\"%s\";\n", prefix,
+ pretty_print_option(15 /* domain name option */,
+ lease -> server_name, strlen(lease -> server_name),
+ 0, 0));
fprintf (scriptFile, "export %sserver_name\n", prefix);
}
for (i = 0; i < 256; i++) {
OpenBSD released a different fix for the dhclient shipped with
OpenBSD. This was not the fix shipped by ISC. The patch released
by OpenBSD is *not* vulnerable to these problems. Their fix did
two things:
1) Make dhclient-script safely quote anything it gets from the
environment to avoid these problems
2) They pass the variables to dhclient-script by constructing
an environment and running dhclient-script with an execve
rather than using a temporary shell script.
2.0pl3 and 3.0b1pl17 releases fix a lingering security problem
that was partially fixed in 2.0pl2 and 3.0b1pl14 that made it
possible for a rogue DHCP server to provide information to the
DHCP client that would cause it to execute arbitrary commands as
root. This fix is similar to a fix implemented by the OpenBSD
folks. IF YOU ARE RUNNING VERSIONS OF THE ISC DHCP CLIENT PRIOR
to 2.0pl2 or 3.0b1pl17, PLEASE UPGRADE ASAP. This patch is NOT
necessary for ISC DHCP server users - only for users of the ISC
DHCP client. Users of the ISC DHCP client from the head of the
anoncvs tree prior to July 20 at 5:36 AM, UTC, should also
upgrade. Both versions of the ISC DHCP Distribution are available
at:
ftp://ftp.isc.org/isc/dhcp
For Linux-Mandrake:
7.0/RPMS/dhcp-3.0b1pl17-2mdk.i586.rpm
7.0/RPMS/dhcp-client-3.0b1pl17-2mdk.i586.rpm
7.0/RPMS/dhcp-relay-3.0b1pl17-2mdk.i586.rpm
7.0/SRPMS/dhcp-3.0b1pl17-2mdk.src.rpm
7.1/RPMS/dhcp-3.0b1pl17-2mdk.i586.rpm
7.1/RPMS/dhcp-client-3.0b1pl17-2mdk.i586.rpm
7.1/RPMS/dhcp-relay-3.0b1pl17-2mdk.i586.rpm
7.1/SRPMS/dhcp-3.0b1pl17-2mdk.src.rpm
For Debian Linux:
http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.diff.gz
http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6-0.4.dsc
http://security.debian.org/dists/stable/updates/source/dhcp-beta_2.0b1pl6.orig.tar.gz
http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-beta_2.0b1pl6-0.4_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-client-beta_2.0b1pl6-0.4_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/dhcp-relay-beta_2.0b1pl6-0.4_alpha.deb
http://security.debian.org/dists/stable/updates/binary-i386/dhcp-beta_2.0b1pl6-0.4_i386.deb
http://security.debian.org/dists/stable/updates/binary-i386/dhcp-client-beta_2.0b1pl6-0.4_i386.deb
http://security.debian.org/dists/stable/updates/binary-i386/dhcp-relay-beta_2.0b1pl6-0.4_i386.deb
http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-beta_2.0b1pl6-0.4_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-client-beta_2.0b1pl6-0.4_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/dhcp-relay-beta_2.0b1pl6-0.4_m68k.deb
http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-beta_2.0b1pl6-0.4_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-client-beta_2.0b1pl6-0.4_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/dhcp-relay-beta_2.0b1pl6-0.4_sparc.deb
http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.diff.gz
http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0-3potato2.dsc
http://security.debian.org/dists/potato/updates/main/source/dhcp_2.0.orig.tar.gz
http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp_2.0-3potato2_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-client_2.0-3potato2_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/dhcp-relay_2.0-3potato2_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp_2.0-3potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-client_2.0-3potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/dhcp-relay_2.0-3potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp_2.0-3potato2_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-client_2.0-3potato2_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/dhcp-relay_2.0-3potato2_sparc.deb