Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Jul 2013 15:30:27 +0200
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Re: ISC DHCP client and unsolicited DHCP options

On Wed, Jul 17, 2013 at 10:35:52PM -0600, Kurt Seifried wrote:
> Do any DHCP clients process and use options passed to them that are
> not explicitly wanted? Might be worth setting up a DHCP server that
> hands out every possible options (there's a lot) and see what happens
> on various clients.

At least on Debian, the default configuration requests the host-name option.
The dhclient-script then evaluates this option and thereby enables a DHCP
server to change the hostname if the current hostname is "(none)", "localhost"
or a previously sent hostname. Changing the hostname can have undesired
consequences such as breaking a running X11 session (can be considered remote
denial of service).

That is why a number of people (including me) remove host-name from the
requested options. Now given the new findings, a DHCP server can still change
the hostname of a connecting client by first sending an unsolicited host-name
option with the current hostname and then changing the hostname in a RENEW.
Guessing the current hostname should be easy in the presence of avahi or
similar services.

Since the bug breaks the assumption, that removing an option from the
request list causes it not to be processed, and this can result in the
xserver rejecting new connections, I think the issue should receive a
CVE identifier.

Quoting the relevant dhclient-script part:
| if [ -n "$new_host_name" ]; then
|     current_hostname=$(hostname)
| 
|     # current host name is empty, '(none)' or 'localhost' or differs from new one from DHCP
|     if [ -z "$current_hostname" ] ||
|        [ "$current_hostname" = '(none)' ] ||
|        [ "$current_hostname" = 'localhost' ] ||
|        [ "$current_hostname" = "$old_host_name" ]; then
|        if [ "$new_host_name" != "$old_host_name" ]; then
|            hostname "$new_host_name"
|        fi
|     fi
| fi

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.