ShellShock DHCP Server

2014-11-20T00:00:00
ID SAINT:2AE124BF9DEB7BF62DF04248DEE949D2
Type saint
Reporter SAINT Corporation
Modified 2014-11-20T00:00:00

Description

Added: 11/20/2014
CVE: CVE-2014-6271
BID: 70103
OSVDB: 112004

Background

Bash is vulnerable to command injection using environment variables. When an application takes user input and uses setenv() a malicious actor is able to execute commands on the target in the security context of the running application. This exploit implements a DHCP server that listens for DHCP Request packets. DHCP Response packets are sent with a payload that will generate a shell script in /tmp/s.sh and execute it. By default the shell script executes a netcat call back shell on the specified port. The payload of the exploit can be modified by changing exploits/s.sh

Limitations

Successful exploitation over DHCP is a race against the real DHCP server on the network. On some affected systems the payload will execute even when the race is lost however the reliability of the exploit will vary. Due to network latency reliability attacking from wireless networks is reduced. It is possible that networking will have to be restarted manually on the client in some cases.

Resolution

Install the appropriate bash patch for your system.