How would you know if someone set up a rogue DHCP server within your network? Even if it were an accidental deploy of a machine with DHCP service turned on with no intention to exploit this flaw, a rogue DHCP server can cause quite a bit of headache.
The dhclient software does not block commands that contain meta-characters, making it possible for rogue DHCP servers on a targeted network to remotely execute malicious code, the Internet Systems Consortium said on April 5. No known exploits exist in the wild, but it is possible that attackers will now start using the bug to break into networks.
In its advisory, ISC wrote, “dhclient doesn’t strip or escape certain shell meta characters in dhcpd responses.”
The vulnerability exists in versions prior to 3.1-ESV-R1, 4.1-ESV-R2, and 4.2.1-P1, according to the ISC advisory (CVE-2011-0997). Attackers can compromise a DHCP server to send out malicious hostname replies containing shellcode. The dhclient executes the shellcode when processing the hostname replies using its system-level privileges on the client system.