Bash Bug Saga Continues: Shellshock Exploit Via DHCP

The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including Metasploit code) available in the public domain, this vulnerability is being heavily exploited.

Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS. In this post, we’ll  tackle Shellshock exploits over the DHCP protocol. These techniques could be used by an attacker to compromise more machines within the network.

Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses.  An attacker can configure a compromised DHCP server or create a rogue DHCP server to send malicious information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors.

bashdhcp_fig1

Figure 1. Traffic flow depicting the malicious response to DHCP client

In addition to standard fields, the DHCP server can provide option fields (identified with a number). In this case, the malicious server sends the commands via option 114, which contains the malicious commands.

bashdhcp_fig2

Figure 2. DHCP Server using Tftpf32. An additional option URL (114) is configured to send the malicious payload.

bashdhcp_fig3

Figure 3. The malicious payload in the URL field

The malicious string when received by the DHCP client running on vulnerable BASH results in arbitrary code execution as shown below. As such this could result in compromising other systems in the network.

bashdhcp_fig4

Figure 4.  Code execution on the DHCP client due to the malicious response

This attack vector against DHCP client running on vulnerable bash is very much discussed in the public domain. However, DCHP also has other fields which are always present in each DHCP OFFER and ACK response. The DHCP server may optionally send its name in the Server Host Name field in the DHCP response. This field can also be used to run malicious code, as seen below.

bashdhcp_fig5

Figure 5.  Malicious payload in the server hostname field

bashdhcp_fig6

Figure 6. Code execution on the DHCP client due to the malicious response

Boot filename is another field present in the DHCP OFFER and ACK responses. Clients may optionally request a boot file and the server specifies the boot file directory path and file name in its response.  When an attacker configures malicious string here, it can result in code execution as seen below.

bashdhcp_fig7

Figure 7.  Malicious payload in the Boot file name field

bashdhcp_fig8

Figure 8. Code execution on the DHCP client due to the malicious response

Various techniques can be used to to exploit Shellshock over DHCP, as we showed here. For exploitation using this attack vector, however, the attacker should already have a foothold in the network using other exploitation techniques.

Since the emergence of Shellshock vulnerability, Trend Micro Deep Security has been swift in protecting users from attacks that may arise of the said vulnerability. Trend Micro Deep Security has protected customers from Shellshock vulnerability over DHCP protocol as early as during its initial discovery via the following rule:

  • 1006258 – GNU Bash Remote Code Execution Vulnerability Over DHCP

For more information on Bash bug vulnerability or Shellshock exploit, you can read all previous entries here:

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Bash Bug Saga Continues: Shellshock Exploit Via DHCP

Read more: Bash Bug Saga Continues: Shellshock Exploit Via DHCP

Story added 9. October 2014, content source with full text you can find at link above.