DHCP client allows shell command injection
The Internet System Consortium's (ISC) open source DHCP client (dhclient) allows DHCP servers to inject commands which could allow an attacker to obtain root privileges. The problem is caused by incorrect filtering of metadata in server response fields. By using crafted host names, and depending on the operating system and what further processing is performed by dhclient-script, it can allow commands to be passed to the shell and executed. A successful attack does, however, require there to be an unauthorised or compromised DHCP server on the local network.
Dhclient versions 3.0.x to 4.2.x are affected. The ISC has released an update. Alternatively, users can deactivate host name evaluation or add an additional line to dhclient-script. Instructions for doing so can be found in the ISC's advisory.
Alongside dhclient-script, X.org's 'X server resource database utility' (xrdb) is also affected, as it also evaluates host names transferred via DHCP. Crafted host names can also prove the undoing of X.Org servers where the X Display Manager Control Protocol (XDMCP) is used. Updating to xrdb 1.0.9 fixes the vulnerabilities. Some Linux distributors are already distributing new packages.
Source for DHCP is available to download (direct download), under the terms of the ISC License, a BSD-style licence.