Rich Freeman on 26 Sep 2014 10:34:47 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

On Fri, Sep 26, 2014 at 1:00 PM, Keith C. Perry
<> wrote:
> What are you envisioning as the attack vector from the client point of view?  Is the concern that
> an infected DHCP server could craft a IP OFFER or ACK packet back to your client with an exploit?

Keep in mind that an "infected DHCP server" could be any other client
on the network.  A "DHCP server" is just a program that responds to
DHCP DISCOVER/REQUEST packets.  Anybody on the network (including
wireless connections) could potentially send DHCP OFFER/ACK packets.

I don't know the details well enough to know exactly which
implementations are vulnerable, and under what conditions.

I doubt Android is vulnerable.  The only phone I'm aware of that ships
bash as part of the stock experience is the Oneplus One, and I'd be
shocked if it was used for DHCP (it isn't the default sh for

Linux desktops are the biggest risk here.  Distros that migrated to
dash are likely to be fairly safe unless they explicitly call bash in
their scripts/etc.  Some distros have their own ip-up scripts and such
that could be problematic, and there are a lot of different DHCP
client implementations.  I think networkd is probably OK, but not all
systemd distros use networkd I imagine (systemd is new, networkd is
even newer).

I'm curious as to whether ChromeOS is vulnerable.  It uses secure boot
so the most a process is going to be able to do is run something in
RAM - any tampering with the OS drive will just render it unbootable
on the next reboot.  I wouldn't be surprised if ChromeOS does run
something like dhclient though.

Bottom line is that I've patched everything I have but my phone.  I
don't run a server farm though.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --