| Keith C. Perry on 26 Sep 2014 10:00:24 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security |
Fred, What are you envisioning as the attack vector from the client point of view? Is the concern that an infected DHCP server could craft a IP OFFER or ACK packet back to your client with an exploit? ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Owner, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ----- Original Message ----- From: "fred" <fred@bristle.com> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> Sent: Friday, September 26, 2014 12:16:12 PM Subject: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security So, forget servers for a second. Let's talk clients (phones and laptops). Does that mean my laptop and my Android phone are vulnerable (if their DHCP clients use bash) whenever I walk into a Wegmans, Starbucks, client site, computer conference, friend's house, etc., when their DHCP clients connect to the local wireless router? That's a much bigger concern than the server issue. There are LOTS more clients than servers in the world, and almost all of them have sensitive data. --Fred ------------------------------------------------------------------------ Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/ Bristle Software, Inc -- http://bristle.com -- Glad to be of service! Open Source: Without walls and fences, we need no Windows or Gates. ------------------------------------------------------------------------ On 9/26/14 12:00 PM, Rich Freeman wrote: > On Fri, Sep 26, 2014 at 11:52 AM, Matt Mossholder <matt@mossholder.com> wrote: >> DHCP Clients do choose servers, but only from the set of servers that have >> responded to a DHCP Discover request. >> >> The steps are: >> 1) Client sends out a discover request. (DISCOVER) > Sent to a broadcast address. > >> 2) All DHCP servers that receive the request will respond back (OFFER) > Again, sent to a broadcast address. > >> 3) The client will choose a server to respond to, and ask for a lease. >> (REQUEST) > Again, sent to a broadcast address. > >> 4) The selected server replys back with a lease. (ACK) > Or any other malicious server that wants to spoof the reply from the > selected server could do so, having intercepted all the other traffic > above. > > At least, that is how I read the spec. And of course ANY host on the > network can respond to the initial discover even if they're following > the rest of the spec. > > -- > Rich > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > > ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug