Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130728133024.GA28830@alf.mars>
Date: Sun, 28 Jul 2013 15:30:27 +0200
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Re: ISC DHCP client and unsolicited DHCP options

On Wed, Jul 17, 2013 at 10:35:52PM -0600, Kurt Seifried wrote:
> Do any DHCP clients process and use options passed to them that are
> not explicitly wanted? Might be worth setting up a DHCP server that
> hands out every possible options (there's a lot) and see what happens
> on various clients.

At least on Debian, the default configuration requests the host-name option.
The dhclient-script then evaluates this option and thereby enables a DHCP
server to change the hostname if the current hostname is "(none)", "localhost"
or a previously sent hostname. Changing the hostname can have undesired
consequences such as breaking a running X11 session (can be considered remote
denial of service).

That is why a number of people (including me) remove host-name from the
requested options. Now given the new findings, a DHCP server can still change
the hostname of a connecting client by first sending an unsolicited host-name
option with the current hostname and then changing the hostname in a RENEW.
Guessing the current hostname should be easy in the presence of avahi or
similar services.

Since the bug breaks the assumption, that removing an option from the
request list causes it not to be processed, and this can result in the
xserver rejecting new connections, I think the issue should receive a
CVE identifier.

Quoting the relevant dhclient-script part:
| if [ -n "$new_host_name" ]; then
|     current_hostname=$(hostname)
| 
|     # current host name is empty, '(none)' or 'localhost' or differs from new one from DHCP
|     if [ -z "$current_hostname" ] ||
|        [ "$current_hostname" = '(none)' ] ||
|        [ "$current_hostname" = 'localhost' ] ||
|        [ "$current_hostname" = "$old_host_name" ]; then
|        if [ "$new_host_name" != "$old_host_name" ]; then
|            hostname "$new_host_name"
|        fi
|     fi
| fi

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.