The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including Metasploit code) available in the public domain, this vulnerability is being heavily exploited.
Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS. In this post, we’ll tackle Shellshock exploits over the DHCP protocol. These techniques could be used by an attacker to compromise more machines within the network.
Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses. An attacker can configure a compromised DHCP server or create a rogue DHCP server to send malicious information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors.
Figure 1. Traffic flow depicting the malicious response to DHCP client
In addition to standard fields, the DHCP server can provide option fields (identified with a number). In this case, the malicious server sends the commands via option 114, which contains the malicious commands.
Figure 2. DHCP Server using Tftpf32. An additional option URL (114) is configured to send the malicious payload.
Figure 3. The malicious payload in the URL field
The malicious string when received by the DHCP client running on vulnerable BASH results in arbitrary code execution as shown below. As such this could result in compromising other systems in the network.
Figure 4. Code execution on the DHCP client due to the malicious response
This attack vector against DHCP client running on vulnerable bash is very much discussed in the public domain. However, DCHP also has other fields which are always present in each DHCP OFFER and ACK response. The DHCP server may optionally send its name in the Server Host Name field in the DHCP response. This field can also be used to run malicious code, as seen below.
Figure 5. Malicious payload in the server hostname field
Figure 6. Code execution on the DHCP client due to the malicious response
Boot filename is another field present in the DHCP OFFER and ACK responses. Clients may optionally request a boot file and the server specifies the boot file directory path and file name in its response. When an attacker configures malicious string here, it can result in code execution as seen below.
Figure 7. Malicious payload in the Boot file name field
Figure 8. Code execution on the DHCP client due to the malicious response
Various techniques can be used to to exploit Shellshock over DHCP, as we showed here. For exploitation using this attack vector, however, the attacker should already have a foothold in the network using other exploitation techniques.
Since the emergence of Shellshock vulnerability, Trend Micro Deep Security has been swift in protecting users from attacks that may arise of the said vulnerability. Trend Micro Deep Security has protected customers from Shellshock vulnerability over DHCP protocol as early as during its initial discovery via the following rule:
- 1006258 – GNU Bash Remote Code Execution Vulnerability Over DHCP
For more information on Bash bug vulnerability or Shellshock exploit, you can read all previous entries here: