[Dnsmasq-discuss] Shellshock.
Roy Marples
roy at marples.name
Sat Sep 27 11:01:01 BST 2014
On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
> This is just a heads-up that if you're using the --dhcp-script option in
> dnsmasq, and the script you're calling is being interpreted by bash,
> then you're affected by the shellshock bug.
>
> The bug allows execution of arbitrary code contained in the values of
> environment variables, and there are several variables in the
> environment inherited by the DHCP script whose values can be set
> directly by a DHCP client, so any DHCP client on your network (or
> elsewhere, if your firewall allows) can execute arbitrary shellcode,
> probably as root, with a simple DHCP request.
>
> The fix, of course, is to update bash.
What's your reason for not sanitising the variables?
I just released dhcpcd-6.4.7 which fixes this exact issue. I changed from
using my custom sanitiser to svis(3) with VIS_CSTYLE | VIS_OCTAL and the
output can be decoded using unvis(1).
Oddly enough this encoding matches the style dhcpcd was using previously which
is a nice win for me.
glibc doesn't ship with svis(3), so I wrote a heavily stripped down NetBSD
version which can be found here:
http://roy.marples.name/projects/dhcpcd/artifact/608ef4144b31cc21e3c811d1957cb836733e73bc
And the extra chars passed for sanitising:
#define ESCAPE_CHARS "|&;<>()$`\\\"'\t\n"
As noted here:
http://pubs.opengroup.org/onlinepubs/009604599/utilities/xcu_chap02.html
Section 2.2, quoting
Roy
More information about the Dnsmasq-discuss
mailing list