simon at thekelleys.org.uk
Fri Oct 3 20:29:33 BST 2014
On 02/10/14 15:28, Roy Marples wrote:
> On 2014-09-29 20:17, Simon Kelley wrote:
>> On 27/09/14 11:01, Roy Marples wrote:
>>> On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
>>>> This is just a heads-up that if you're using the --dhcp-script
>>>> option in
>>>> dnsmasq, and the script you're calling is being interpreted by bash,
>>>> then you're affected by the shellshock bug.
>>>> The bug allows execution of arbitrary code contained in the values of
>>>> environment variables, and there are several variables in the
>>>> environment inherited by the DHCP script whose values can be set
>>>> directly by a DHCP client, so any DHCP client on your network (or
>>>> elsewhere, if your firewall allows) can execute arbitrary shellcode,
>>>> probably as root, with a simple DHCP request.
>>>> The fix, of course, is to update bash.
>>> What's your reason for not sanitising the variables?
>>> I just released dhcpcd-6.4.7 which fixes this exact issue. I changed
>>> using my custom sanitiser to svis(3) with VIS_CSTYLE | VIS_OCTAL and the
>>> output can be decoded using unvis(1).
>>> Oddly enough this encoding matches the style dhcpcd was using
>>> previously which
>>> is a nice win for me.
> In the cold light day after shellshock I've come to the conclusion that
> you're right am I'm wrong.
> Admittedly I was swayed by a SUSE security report which dealt with badly
> quoted shell scripts which addressed the issue by introducing some
> sanistisation into dhcpcd and I went from there.
> Now, dhcpcd just sanistises according to the option encoding. So as most
> string options specify ASCII NVT dhcpcd will ensure that's what you get,
> stopping at the first invalid or non printable character. There are
> other encoding types such as domain, ascii, raw and binhex which will
> satisfy everything hopefully.
> No more shell sanitising!
I think that's probably the right approach. If I could revisit this, I
probably would, but changing how (eg) the client-id is passed to the
DHCP script, would break existing scripts.
More information about the Dnsmasq-discuss