[Secure-testing-team] Bug#762923: dhclient-script uses bash, allowing remote bash exploits

Goswin von Brederlow goswin-v-b at web.de
Fri Sep 26 10:47:39 UTC 2014 

Package: isc-dhcp-client
Version: 4.2.4-7
Severity: normal
File: /sbin/dhclient-script
Tags: security

dhclient puts unchecked strings into environment variables for the
dhclient-script and dhclient-script uses #!/bin/bash. This allows the
recently found bash bugs to be exploited from remote.

There seem to be 2 places where dhclient-script uses bashism:

% checkbashisms /sbin/dhclient-script 
possible bashism in /sbin/dhclient-script line 58 (sourced script with arguments):
        . $script "$@"
possible bashism in /sbin/dhclient-script line 181 (should be 'b = a'):
            if [ "$new_subnet_mask" == "255.255.255.255" ]; then

The second one is trivial to fix leaving a single bashism.

Would it be possible to rewrite that in a POSIX sh compatible way?


That would leave the dhclient hook scripts to worry about:

possible bashism in /etc/dhcp3/dhclient-enter-hooks.d/debug line 24 (${!name}):
                echo $i=\'${!i}\' >> /tmp/dhclient-script.debug

possible bashism in /etc/dhcp3/dhclient-exit-hooks.d/debug line 23 (${!name}):
                echo $i=\'${!i}\' >> /tmp/dhclient-script.debug

possible bashism in /etc/dhcp3/dhclient-exit-hooks.d/rfc3442-classless-routes line 8 (should be 'b = a'):
                if [ x"$reason" == x"BOUND" ]; then
possible bashism in /etc/dhcp3/dhclient-exit-hooks.d/rfc3442-classless-routes line 11 (bash arrays, ${name[0|*|@]}):
                        for(( i=0; i < ${#rfc_routes[@]}; )); do
+10 more array uses



Given the many eyes now turning towards findings bugs in bash and
building exploits with them it might be safer to fix those bashisms
and switch dhclient-script over to #!/bin/sh.

What do you think?

MfG
	Goswin


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-client depends on:
ii  debianutils      4.4
ii  iproute          1:3.14.0-1
ii  isc-dhcp-common  4.2.4-7
ii  libc6            2.19-1

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd  <none>
pn  resolvconf     <none>

-- no debconf information

More information about the Secure-testing-team mailing list