9

Source: http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

For the same reason, userland DHCP clients that invoke configuration scripts and use variables to pass down config details are at risk when exposed to rogue servers (e.g., on open wifi).

Wonder if Linux dhclient is vulnerable to config details passed from the router.

If so, many desktop Linux rigs should be patched ASAP. Also interested in DHCP configuration done in Android.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50

2 Answers2

8

Yes.

The dhclient-script network-configuration shell script is run during the DHCP process, and a number of parameters from the server (such as domain-name) are passed to it in environment variables. The script is set to be interpreted by /bin/sh, so if your system has that symlinked to /bin/bash (which is quite common), you're vulnerable.

What's more, on Debian (and possibly many of its myriads of offsprings like Ubuntu), which uses dash as /bin/sh, dhclient-script is explicitely shebanged to /bin/bash, and it does seem to contain a bashism, too.

Community
  • 1
Mark
  • 34,390
  • 9
  • 85
  • 134
  • 2
    So Mac OS X should be vulnerable, too. What about Android? – Deer Hunter Sep 25 '14 at 10:08
  • I don't know. Android mostly doesn't use the GNU userland programs, so it may use a different DHCP client, or it may not have `bash`. – Mark Sep 25 '14 at 10:10
  • See http://blog.varunkumar.me/2010/09/how-to-change-dns-server-on-android.htm – Deer Hunter Sep 25 '14 at 10:12
  • Specifically, `/system/etc/dhcpcd/dhcpcd-hooks/20-dns.conf` – Deer Hunter Sep 25 '14 at 10:14
  • 4
    Android uses a variant of ash or ksh, depending on the version. Neither of those are vulnerable. https://stackoverflow.com/questions/11950131/android-adb-shell-ash-or-ksh – sep332 Sep 25 '14 at 13:57
  • 1
    @sep332 your comment is worth converting to an answer or an answer to a separate question. – Smit Johnth Sep 25 '14 at 17:15
  • So, "OS X doesn't use Bash for configuring DHCP, so it's not vulnerable. All of that is done in the kernel on Macs." https://news.ycombinator.com/item?id=8369678 – jpillora Sep 29 '14 at 23:46
  • @Mark - I am on Debian, and as you say `/sbin/dhclient-script` is explicitly shebanged to `bash`. But I have changed `/bin/bash` to `/bin/sh` and everything works fine (`/bin/sh` is linked to `/bin/dash` on Debian). Which bashisms did you refer to? – Martin Vegter Nov 12 '14 at 21:07
3

Both dhclient and dhcpcd call configuration scripts that invoke a system shell, so they are vulnerable.

However, based on my testing it looks like you can run at least dhcpcd successfully without the config script (if you rename/move the script):

$ pkill dhcpcd
$ ping -c 1 www.google.com
ping: unknown host www.google.com

$ mv /usr/lib/dhcpcd/dhcpcd-run-hooks /usr/lib/dhcpcd/dhcpcd-run-hooks-disabled
$ dhcpcd
dhcpcd[29057]: version 6.4.3 starting
dhcpcd[29057]: script_runreason: /usr/lib/dhcpcd/dhcpcd-run-hooks: WEXITSTATUS 127
(...)
dhcpcd[29057]: forked to background, child pid 29069

$ ping -c 1 www.google.com
PING www.google.com (74.125.232.240) 56(84) bytes of data.
64 bytes from arn06s07-in-f16.1e100.net (74.125.232.240): icmp_seq=1 ttl=54 time=16.4 ms
(...)

As you can see, there is a warning, but in the end the connection is established.

There will probably be some things (e.g. domain) that are not set correctly, so this is a hackish solution. I have not tested this on a WiFi network, it could fail there.

Edit: based on strings /usr/bin/dhcpcdit looks like the script path is hard-coded.

semi-extrinsic
  • 131
  • 2