[Bug 1704682] [NEW] isc-dhcp-client gladly accepts and sets server options that were not requested

Alan Franzoni Sun, 16 Jul 2017 16:11:53 -0700

Public bug reported:

Operating System: Ubuntu 16.04 amd64, fully updated. isc-dhcp-client
package 4.3.3-5ubuntu12.7


I noticed this behaviour when trying a special setting (I didn't want to
accept the default gateway from my dhcp server). Even if I modify the
request setting by removing the routers, thus causing dhclient NOT to
send the 'Routers' option (option 3), my home router (Asus DSL-n66u)
sends everything it knows, including the default gateway.

But, from reading the documentation and various mailing lists, it seems
that the client should DISCARD options that were not requested. That
could even be a security vulnerability; a rogue DHCP server could break
much more havoc than expected, e.g. redirecting an host's default
gateway while the owner thought that was impossible.


dhclient.conf:
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset,
        domain-name, domain-name-servers, domain-search, host-name,
        dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
        netbios-name-servers, netbios-scope, interface-mtu,
         ntp-servers;

interface "enp0s3" {
        request subnet-mask, broadcast-address;
}


tcpdump log:
00:45:48.691568 Out 08:00:27:4b:a4:c9 ethertype IPv4 (0x0800), length 344: (tos 
0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 
08:00:27:4b:a4:c9, length 300, xid 0xc9572a43, secs 3, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:4b:a4:c9
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Requested-IP Option 50, length 4: 172.20.20.92
            Hostname Option 12, length 8: "bitbuntu"
            Parameter-Request Option 55, length 2:
              Subnet-Mask, BR
        0x0000:  4510 0148 0000 0000 8011 3996 0000 0000  E..H......9.....
        0x0010:  ffff ffff 0044 0043 0134 f56e 0101 0600  .....D.C.4.n....
        0x0020:  c957 2a43 0003 0000 0000 0000 0000 0000  .W*C............
        0x0030:  0000 0000 0000 0000 0800 274b a4c9 0000  ..........'K....
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 6382 5363 3501 0132  ........c.Sc5..2
        0x0110:  04ac 1414 5c0c 0862 6974 6275 6e74 7537  ....\..bitbuntu7
        0x0120:  0201 1cff 0000 0000 0000 0000 0000 0000  ................
        0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000                      ........
00:45:48.691583   B 08:00:27:4b:a4:c9 ethertype IPv4 (0x0800), length 344: (tos 
0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 
08:00:27:4b:a4:c9, length 300, xid 0xc9572a43, secs 3, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:4b:a4:c9
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Requested-IP Option 50, length 4: 172.20.20.92
            Hostname Option 12, length 8: "bitbuntu"
            Parameter-Request Option 55, length 2:
              Subnet-Mask, BR
        0x0000:  4510 0148 0000 0000 8011 3996 0000 0000  E..H......9.....
        0x0010:  ffff ffff 0044 0043 0134 f56e 0101 0600  .....D.C.4.n....
        0x0020:  c957 2a43 0003 0000 0000 0000 0000 0000  .W*C............
        0x0030:  0000 0000 0000 0000 0800 274b a4c9 0000  ..........'K....
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 6382 5363 3501 0132  ........c.Sc5..2
        0x0110:  04ac 1414 5c0c 0862 6974 6275 6e74 7537  ....\..bitbuntu7
        0x0120:  0201 1cff 0000 0000 0000 0000 0000 0000  ................
        0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000                      ........
00:45:48.758076   P e0:3f:49:4b:3c:a0 ethertype IPv4 (0x0800), length 592: (tos 
0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
    172.20.20.1.67 > 172.20.20.92.68: [udp sum ok] BOOTP/DHCP, Reply, length 
548, xid 0xc9572a43, Flags [none] (0x0000)
          Your-IP 172.20.20.92
          Client-Ethernet-Address 08:00:27:4b:a4:c9
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Server-ID Option 54, length 4: 172.20.20.1
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Default-Gateway Option 3, length 4: 172.20.20.1
            Domain-Name-Server Option 6, length 4: 172.20.20.1
        0x0000:  4500 0240 0000 0000 4011 f827 ac14 1401  E..@....@..'....
        0x0010:  ac14 145c 0043 0044 022c 237e 0201 0600  ...\.C.D.,#~....
        0x0020:  c957 2a43 0000 0000 0000 0000 ac14 145c  .W*C...........\
        0x0030:  0000 0000 0000 0000 0800 274b a4c9 0000  ..........'K....
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 6382 5363 3501 0236  ........c.Sc5..6
        0x0110:  04ac 1414 0133 0400 0151 8001 04ff ffff  .....3...Q......
        0x0120:  0003 04ac 1414 0106 04ac 1414 01ff 0000  ................
        0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0150:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0160:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0170:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0180:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0190:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0200:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0210:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0220:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0230:  0000 0000 0000 0000 0000 0000 0000 0000  ................
00:45:48.759186 Out 08:00:27:4b:a4:c9 ethertype IPv4 (0x0800), length 344: (tos 
0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 
08:00:27:4b:a4:c9, length 300, xid 0xc9572a43, secs 3, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:4b:a4:c9
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Server-ID Option 54, length 4: 172.20.20.1
            Requested-IP Option 50, length 4: 172.20.20.92
            Hostname Option 12, length 8: "bitbuntu"
            Parameter-Request Option 55, length 2:
              Subnet-Mask, BR
        0x0000:  4510 0148 0000 0000 8011 3996 0000 0000  E..H......9.....
        0x0010:  ffff ffff 0044 0043 0134 d978 0101 0600  .....D.C.4.x....
        0x0020:  c957 2a43 0003 0000 0000 0000 0000 0000  .W*C............
        0x0030:  0000 0000 0000 0000 0800 274b a4c9 0000  ..........'K....
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 6382 5363 3501 0336  ........c.Sc5..6
        0x0110:  04ac 1414 0132 04ac 1414 5c0c 0862 6974  .....2....\..bit
        0x0120:  6275 6e74 7537 0201 1cff 0000 0000 0000  buntu7..........
        0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000                      ........
00:45:48.759195   B 08:00:27:4b:a4:c9 ethertype IPv4 (0x0800), length 344: (tos 
0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 
08:00:27:4b:a4:c9, length 300, xid 0xc9572a43, secs 3, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:4b:a4:c9
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Server-ID Option 54, length 4: 172.20.20.1
            Requested-IP Option 50, length 4: 172.20.20.92
            Hostname Option 12, length 8: "bitbuntu"
            Parameter-Request Option 55, length 2:
              Subnet-Mask, BR
        0x0000:  4510 0148 0000 0000 8011 3996 0000 0000  E..H......9.....
        0x0010:  ffff ffff 0044 0043 0134 d978 0101 0600  .....D.C.4.x....
        0x0020:  c957 2a43 0003 0000 0000 0000 0000 0000  .W*C............
        0x0030:  0000 0000 0000 0000 0800 274b a4c9 0000  ..........'K....
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 6382 5363 3501 0336  ........c.Sc5..6
        0x0110:  04ac 1414 0132 04ac 1414 5c0c 0862 6974  .....2....\..bit
        0x0120:  6275 6e74 7537 0201 1cff 0000 0000 0000  buntu7..........
        0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000                      ........
00:45:48.867646   P e0:3f:49:4b:3c:a0 ethertype IPv4 (0x0800), length 592: (tos 
0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
    172.20.20.1.67 > 172.20.20.92.68: [udp sum ok] BOOTP/DHCP, Reply, length 
548, xid 0xc9572a43, Flags [none] (0x0000)
          Your-IP 172.20.20.92
          Client-Ethernet-Address 08:00:27:4b:a4:c9
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: 172.20.20.1
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Default-Gateway Option 3, length 4: 172.20.20.1
            Domain-Name-Server Option 6, length 4: 172.20.20.1
        0x0000:  4500 0240 0000 0000 4011 f827 ac14 1401  E..@....@..'....
        0x0010:  ac14 145c 0043 0044 022c 207e 0201 0600  ...\.C.D.,.~....
        0x0020:  c957 2a43 0000 0000 0000 0000 ac14 145c  .W*C...........\
        0x0030:  0000 0000 0000 0000 0800 274b a4c9 0000  ..........'K....
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0100:  0000 0000 0000 0000 6382 5363 3501 0536  ........c.Sc5..6
        0x0110:  04ac 1414 0133 0400 0151 8001 04ff ffff  .....3...Q......
        0x0120:  0003 04ac 1414 0106 04ac 1414 01ff 0000  ................
        0x0130:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0140:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0150:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0160:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0170:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0180:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0190:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x01f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0200:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0210:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0220:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0230:  0000 0000 0000 0000 0000 0000 0000 0000  ................

** Affects: isc-dhcp (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1704682

Title:
  isc-dhcp-client gladly accepts and sets server options that were not
  requested

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1704682/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1704682] [NEW] isc-dhcp-client gladly accepts and sets server options that were not requested

Reply via email to