Saturday, August 2, 2008

DHCP Script Injection

Very cool paper and demo over at MWR InfoSecurity on DHCP Script Injection.

The paper covers attacking the pfsense admin interface and injecting script into the DHCP hostname field. Because the admin interface runs as root your code is executed as root. The demo also uses a CRSF attack to change the password but I think its far more interesting to be able to inject script into the interface and run with all the exploitation options available there. They also released the tool to do it.

Full Paper
http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf

Paper on the DHCP Script Injection
http://www.mwrinfosecurity.com/publications/mwri_pfsense-dhcp-script-injection_2008-07-28.pdf

Demo
http://www.mwrinfosecurity.com/publications/pfsense.htm

1 comment:

  1. I found more interesting the SSID Script Injection Attack as access to the LAN where the affected device is located is not required.

    http://usefulfor.com/security/2008/08/04/ssid-script-injection/

    ReplyDelete