[Dnsmasq-discuss] Shellshock.
Roy Marples
roy at marples.name
Tue Sep 30 14:05:35 BST 2014
On 2014-09-30 13:33, Nicholas Weaver wrote:
> Although, to be honest, although the DHCP vector is trivial to exploit
> [1], if the attacker can give you a bogus DHCP reply you've lost
> already.
>
> At this point, the attacker already has a full man-in-the-middle of
> all network traffic, and can easily launch invisible attacks on
> clients (e.g. cause a hidden iframe to appear to their metasploit
> server instance, insert cached scripts into the browser context,
> etc...).
http://tools.ietf.org/html/rfc3118
Although this does rely on you trusting the DHCP server and I admit it's
a non trivial setup as not many servers or clients actually support it.
> [1] the DHCP server on my test network has: option domain-name "() {
> ignored;}; /bin/touch pwnage ; (/bin/sleep 10; /bin/ping -c 10
> 10.128.0.2) & "; in its config
I have similar in my server config, but as the server id :)
Roy
More information about the Dnsmasq-discuss
mailing list