How Shellshock can be exploited over DHCP
Attacks exploiting the Shellshock vulnerability (actually, vulnerabilities) are popping up daily, but while Shellshock attacks on web apps have been the most documented and discussed, attacks via other attack surfaces are possible, too.
Shellshock exploits can be executed over a number of application layer protocols, including Simple Mail Transfer Protocol (SMTP), Session Initiation Protocol (SIP), and Dynamic Host Configuration Protocol (DHCP).
In attacks using the latter, an attacker must first compromise and reconfigure a legitimate DHCP server or create a rogue one to send malicious information to the DHCP client in response to a request.
An interaction (for example, an IP address request) between the DHCP client and the DHCP server looks like this:
The client sends out a DHCP discovery message. An authoritative DHCP server receives the message, reserves an IP address, and makes a lease offer to the client via a DHCP offer message. The client replies with a DHCP request for the offered address. The server finally returns a DHCP acknowledgement message, that holds configuration information for the client.
“In addition to standard fields, the DHCP server can provide option fields (identified with a number). In this case, the malicious server sends the commands via option 114, which contains the malicious commands,” Trend Micro vulnerability researcher Akash Sharda explained in a blog post.
“The malicious string when received by the DHCP client running on vulnerable BASH results in arbitrary code execution.”
Other fields in the offer and acknowledgement messages – for example, the server hostname field, or the boot filename field – can also be used to run malicious code via a specially crafted string.
By using these techniques, the attacker can compromise machine after machine in the network. But to compromise a DHCP server or create a rogue one, he or she first has to find a way into the network by other means.