On 26/09/14 22:45, richardvo...@gmail.com wrote: > I know this could be found in the code, and my own systems have busybox not > bash, but I thought I'd ask for general interest: > > Is this a matter only of the shebang line in the script, or does dnsmasq > use `system()` to run it, meaning that control passes through the user's > login shell before transferring to the interpreter listed in the shebang?
It's complicated. The vast majority of calls to the dhcp script are by execing it direct, with no use of system() in dnsmasq. So changing the shebang is enough. Beware that the shebang line may be #! /bin/sh but /bin/sh could be a link to /bin/bash. However, if using --leasefile-ro, the script is run once, at startup with the "init" operation, to feed the DHCP lease database into dnsmasq. That's done using popen() library call, and the man page for popen says: "The popen() function opens a process by creating a pipe, forking, and invoking the shell." So if the system shell is bash, then I guess you're still at risk there. IF an attacker can find a way of controlling the environment. For init, he doesn't have the easy option of setting the userclass or vendorclass in a DHCP request, so it's probably OK. > > If the script is execed or spawned, then changing the shebang to /bin/ash > or other non-bash implementation which aims for bash compatibility could be > an even faster workaround (that also cures aftershock). Indeed, it is, modulo the caveats for leasefile-ro Cheers, Simon. > > BTW, isn't that script executed as root only in --leasefile-ro mode, and > that without remote input in the environment? Oh nevermind, the script > always gets invoked from the dnsmasq process that doesn't drop privilege, > unless that new --dhcp-scriptuser option is active. Correct. > > On Fri, Sep 26, 2014 at 4:14 PM, Simon Kelley <si...@thekelleys.org.uk> > wrote: > >> This is just a heads-up that if you're using the --dhcp-script option in >> dnsmasq, and the script you're calling is being interpreted by bash, >> then you're affected by the shellshock bug. >> >> The bug allows execution of arbitrary code contained in the values of >> environment variables, and there are several variables in the >> environment inherited by the DHCP script whose values can be set >> directly by a DHCP client, so any DHCP client on your network (or >> elsewhere, if your firewall allows) can execute arbitrary shellcode, >> probably as root, with a simple DHCP request. >> >> The fix, of course, is to update bash. >> >> >> Cheers, >> >> Simon. >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
