[Dnsmasq-discuss] Shellshock.

[richardvoigt at gmail.com]

I know this could be found in the code, and my own systems have busybox not
bash, but I thought I'd ask for general interest:

Is this a matter only of the shebang line in the script, or does dnsmasq
use `system()` to run it, meaning that control passes through the user's
login shell before transferring to the interpreter listed in the shebang?

If the script is execed or spawned, then changing the shebang to /bin/ash
or other non-bash implementation which aims for bash compatibility could be
an even faster workaround (that also cures aftershock).

BTW, isn't that script executed as root only in --leasefile-ro mode, and
that without remote input in the environment?  Oh nevermind, the script
always gets invoked from the dnsmasq process that doesn't drop privilege,
unless that new --dhcp-scriptuser option is active.

On Fri, Sep 26, 2014 at 4:14 PM, Simon Kelley <simon at thekelleys.org.uk>
wrote:

> This is just a heads-up that if you're using the --dhcp-script option in
> dnsmasq, and the script you're calling is being interpreted by bash,
> then you're affected by the shellshock bug.
>
> The bug allows execution of arbitrary code contained in the values of
> environment variables, and there are several variables in the
> environment inherited by the DHCP script whose values can be set
> directly by a DHCP client, so any DHCP client on your network (or
> elsewhere, if your firewall allows) can execute arbitrary shellcode,
> probably as root, with a simple DHCP request.
>
> The fix, of course, is to update bash.
>
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140926/f118c565/attachment.html>