[LeoPanthera]

It's hard, but not impossible. Apparently your DHCP client passes responses from the DHCP server to bash.

Let's say, for the sake of argument, that your ISP's DHCP server is compromised. A worm could then spread to your system from it.

This is entirely hypothetical, but not impossible.

[pbhjpbhj]

What responses does it pass, does it not sanitise them? Can anyone link to details of what DHCP does that's relevant here? Thanks.

[monort]

Looking at http://code.metager.de/source/xref/isc-dhcp-debian/client/dh...

It seems that server_name from DHCP response is passed to environment variable without sanitising.

  3437		if (check_option_values(NULL, DHO_HOST_NAME,
  3438					lease->server_name,
  3439					strlen(lease->server_name)) == 0 ) {
  3440			client_envadd (client, prefix, "server_name",
  3441				       "%s", lease->server_name);

And script that is run after that (dhclient-script) is written in bash at least on Debian.

[isaaccp]

check-option_values() actually checks DHO_HOST_NAME to be only alphanumeric and '.':

See code here: http://lists.alioth.debian.org/pipermail/pkg-dhcp-commits/20...

[justincormack]

to bash? or to /bin/sh? Or the user shell? On Ubuntu you are fine unless it explicitly calls bash or (unlikely) uses the user shell.

[tdicola]

Ouch, what a mess. Thanks for the warning.