A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
AI_ONLY_REPORT
package: RHEL_base/dracut-107-4.el10
[Security] Command Injection via DHCP Options in dhclient-script.sh
Hello dracut maintainers,
We believe that we have discovered a potential security vulnerability in this repository: command injection in the legacy DHCP path (`modules.d/35network-legacy/dhclient-script.sh`), leading to root code execution in initramfs.
Vulnerability details
DHCP-provided values are written into temporary shell scripts and later sourced as root, without safe shell escaping.
```sh
modules.d/35network-legacy/dhclient-script.sh
[ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname
...
echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw
...
echo "/sbin/ip route replace $temp_result"
```
These generated files are then sourced:
```sh
modules.d/45net-lib/net-lib.sh
[ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname
[ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts
[ -e /tmp/net."$netif".gw ] && . /tmp/net."$netif".gw
```
And initqueue jobs are sourced as shell code:
```sh
modules.d/99base/init.sh
for job in "$hookdir"/initqueue/*.sh; do
job=$job . "$job"
done
```
A malicious DHCP server can provide `host-name` (and potentially routing-related options) containing shell metacharacters, which are persisted into these scripts and executed as root.
Relevant CWEs:
CWE-78: Improper Neutralization of Special Elements used in an OS Command.
CWE-94: Improper Control of Generation of Code (dynamic shell script generation from untrusted input).
Reproduction steps
1. Build/initramfs boot path that uses `35network-legacy` and `dhclient` (`ip=dhcp`, `rd.neednet=1`).
2. On the same L2 segment, run a DHCP server that returns a malicious host-name, for example:
`host-name = "pwn; touch /tmp/dracut_poc #"`
3. Boot the target so DHCP reaches `BOUND`.
4. Observe generated script content (in initramfs shell):
`/tmp/net.<iface>.hostname` contains injected shell syntax.
5. Wait for `setup_net` / initqueue processing; verify `/tmp/dracut_poc` exists, proving command execution as root.
Proposed fix (example patch)
```diff
diff --git a/modules.d/35network-legacy/dhclient-script.sh b/modules.d/35network-legacy/dhclient-script.sh
@@ -72,7 +72,10 @@ setup_interface() {
[ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname
+ if [ -n "$hostname" ]; then
+ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}")
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
+ fi
@@ -54,7 +57,7 @@ setup_interface() {
echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw
+ printf 'ip route replace default via %q dev %q\n' "$main_gw" "$netif" >> /tmp/net."$netif".gw
if [ -n "$other_gw" ]; then
for g in $other_gw; do
echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw
+ printf 'ip route add default via %q dev %q\n' "$g" "$netif" >> /tmp/net."$netif".gw
done
fi
@@ -159,7 +162,7 @@ parse_option_121() {
echo "/sbin/ip route replace $temp_result"
+ printf '/sbin/ip route replace %q\n' "$temp_result"
done
}
```
Longer-term, avoiding dynamic shell script generation for DHCP-derived values would be safer.
CVSS 3.1 estimate
*Score:* 8.8 (HIGH)
*Vector:* `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Brief rationale:
*AV:A*: attacker must be on adjacent network (DHCP domain).
*AC:L*: straightforward malicious DHCP response.
*PR:N*: no prior auth required.
*UI:N*: no user interaction.
*S:U*: impact within same trust scope.
*C/I/A:H*: root command execution in initramfs can fully compromise boot/network behavior and availability.
------
This report was generated using AI technology. Always review AI-generated content prior to use
AI_ONLY_REPORT package: RHEL_base/dracut-107-4.el10 [Security] Command Injection via DHCP Options in dhclient-script.sh Hello dracut maintainers, We believe that we have discovered a potential security vulnerability in this repository: command injection in the legacy DHCP path (`modules.d/35network-legacy/dhclient-script.sh`), leading to root code execution in initramfs. Vulnerability details DHCP-provided values are written into temporary shell scripts and later sourced as root, without safe shell escaping. ```sh modules.d/35network-legacy/dhclient-script.sh [ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname ... echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw ... echo "/sbin/ip route replace $temp_result" ``` These generated files are then sourced: ```sh modules.d/45net-lib/net-lib.sh [ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname [ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts [ -e /tmp/net."$netif".gw ] && . /tmp/net."$netif".gw ``` And initqueue jobs are sourced as shell code: ```sh modules.d/99base/init.sh for job in "$hookdir"/initqueue/*.sh; do job=$job . "$job" done ``` A malicious DHCP server can provide `host-name` (and potentially routing-related options) containing shell metacharacters, which are persisted into these scripts and executed as root. Relevant CWEs: CWE-78: Improper Neutralization of Special Elements used in an OS Command. CWE-94: Improper Control of Generation of Code (dynamic shell script generation from untrusted input). Reproduction steps 1. Build/initramfs boot path that uses `35network-legacy` and `dhclient` (`ip=dhcp`, `rd.neednet=1`). 2. On the same L2 segment, run a DHCP server that returns a malicious host-name, for example: `host-name = "pwn; touch /tmp/dracut_poc #"` 3. Boot the target so DHCP reaches `BOUND`. 4. Observe generated script content (in initramfs shell): `/tmp/net.<iface>.hostname` contains injected shell syntax. 5. Wait for `setup_net` / initqueue processing; verify `/tmp/dracut_poc` exists, proving command execution as root. Proposed fix (example patch) ```diff diff --git a/modules.d/35network-legacy/dhclient-script.sh b/modules.d/35network-legacy/dhclient-script.sh @@ -72,7 +72,10 @@ setup_interface() { [ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname + if [ -n "$hostname" ]; then + safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}") + printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname + fi @@ -54,7 +57,7 @@ setup_interface() { echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw + printf 'ip route replace default via %q dev %q\n' "$main_gw" "$netif" >> /tmp/net."$netif".gw if [ -n "$other_gw" ]; then for g in $other_gw; do echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw + printf 'ip route add default via %q dev %q\n' "$g" "$netif" >> /tmp/net."$netif".gw done fi @@ -159,7 +162,7 @@ parse_option_121() { echo "/sbin/ip route replace $temp_result" + printf '/sbin/ip route replace %q\n' "$temp_result" done } ``` Longer-term, avoiding dynamic shell script generation for DHCP-derived values would be safer. CVSS 3.1 estimate *Score:* 8.8 (HIGH) *Vector:* `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Brief rationale: *AV:A*: attacker must be on adjacent network (DHCP domain). *AC:L*: straightforward malicious DHCP response. *PR:N*: no prior auth required. *UI:N*: no user interaction. *S:U*: impact within same trust scope. *C/I/A:H*: root command execution in initramfs can fully compromise boot/network behavior and availability. ------ This report was generated using AI technology. Always review AI-generated content prior to use