[Dnsmasq-discuss] Shellshock.
Simon Kelley
simon at thekelleys.org.uk
Mon Sep 29 20:17:56 BST 2014
On 27/09/14 11:01, Roy Marples wrote:
> On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
>> This is just a heads-up that if you're using the --dhcp-script option in
>> dnsmasq, and the script you're calling is being interpreted by bash,
>> then you're affected by the shellshock bug.
>>
>> The bug allows execution of arbitrary code contained in the values of
>> environment variables, and there are several variables in the
>> environment inherited by the DHCP script whose values can be set
>> directly by a DHCP client, so any DHCP client on your network (or
>> elsewhere, if your firewall allows) can execute arbitrary shellcode,
>> probably as root, with a simple DHCP request.
>>
>> The fix, of course, is to update bash.
>
> What's your reason for not sanitising the variables?
>
> I just released dhcpcd-6.4.7 which fixes this exact issue. I changed from
> using my custom sanitiser to svis(3) with VIS_CSTYLE | VIS_OCTAL and the
> output can be decoded using unvis(1).
> Oddly enough this encoding matches the style dhcpcd was using previously which
> is a nice win for me.
>
> glibc doesn't ship with svis(3), so I wrote a heavily stripped down NetBSD
> version which can be found here:
> http://roy.marples.name/projects/dhcpcd/artifact/608ef4144b31cc21e3c811d1957cb836733e73bc
>
> And the extra chars passed for sanitising:
> #define ESCAPE_CHARS "|&;<>()$`\\\"'\t\n"
>
> As noted here:
> http://pubs.opengroup.org/onlinepubs/009604599/utilities/xcu_chap02.html
> Section 2.2, quoting
>
There's no definition of what is allowed in those DHCP options, so it's
quite possible that a shell metacharacter would be encountered.
Sanitising the strings would therefore change what gets passed to the
script, ie it would be an API change.
Of course, the shell isn't supposed to interpret metacharacters in the
value of shell variables unless explicitly told to: so sanitising
shouldn't be required (though I concede it would mitigate a lot of
common shell-script errors.)
Cheers,
Simon
More information about the Dnsmasq-discuss
mailing list