oss-sec mailing list archives
Re: ISC DHCP client and unsolicited DHCP options
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 13 Aug 2013 23:08:54 +0200
On Sun, 28 Jul 2013 15:30:27 +0200 Helmut Grohne wrote:
At least on Debian, the default configuration requests the host-name option. The dhclient-script then evaluates this option and thereby enables a DHCP server to change the hostname if the current hostname is "(none)", "localhost" or a previously sent hostname. Changing the hostname can have undesired consequences such as breaking a running X11 session (can be considered remote denial of service). That is why a number of people (including me) remove host-name from the requested options. Now given the new findings, a DHCP server can still change the hostname of a connecting client by first sending an unsolicited host-name option with the current hostname and then changing the hostname in a RENEW. Guessing the current hostname should be easy in the presence of avahi or similar services.
The dhclient-script in dhcp packages in recent Fedora and Red Hat Enterprise Linux versions allow administrator to define hook scripts which are sourced by the dhclient-script. Those hooks can unset environment variables set by dhclient before they are processed by the dhclient-script. Not sure if other distros may want to add similar mechanism: http://pkgs.fedoraproject.org/cgit/dhcp.git/plain/dhclient-script But as mentioned before, NetworkManager does its own processing and does not use the standard dhclient-script. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- ISC DHCP client and unsolicited DHCP options Florian Weimer (Jul 17)
- Re: ISC DHCP client and unsolicited DHCP options Kurt Seifried (Jul 17)
- Re: ISC DHCP client and unsolicited DHCP options Helmut Grohne (Jul 28)
- Re: ISC DHCP client and unsolicited DHCP options Tomas Hoger (Aug 13)
- Re: ISC DHCP client and unsolicited DHCP options Helmut Grohne (Jul 28)
- Re: ISC DHCP client and unsolicited DHCP options Kurt Seifried (Jul 17)