AI_ONLY_REPORT
package: RHEL_base/dracut-107-4.el10
[Security] Command Injection via DHCP Options in dhclient-script.sh
Hello dracut maintainers,
We believe that we have discovered a potential security vulnerability in this repository: command injection in the legacy DHCP path (`modules.d/35network-legacy/dhclient-script.sh`), leading to root code execution in initramfs.


Vulnerability details






DHCP-provided values are written into temporary shell scripts and later sourced as root, without safe shell escaping.
```sh
modules.d/35network-legacy/dhclient-script.sh
[ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname
...
echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw
...
echo "/sbin/ip route replace $temp_result"
```


These generated files are then sourced:
```sh
modules.d/45net-lib/net-lib.sh
[ -e /tmp/net."$netif".hostname ] && . /tmp/net."$netif".hostname
[ -e /tmp/dhclient."$netif".dhcpopts ] && . /tmp/dhclient."$netif".dhcpopts
[ -e /tmp/net."$netif".gw ] && . /tmp/net."$netif".gw
```


And initqueue jobs are sourced as shell code:
```sh
modules.d/99base/init.sh
for job in "$hookdir"/initqueue/*.sh; do
 job=$job . "$job"
done
```


A malicious DHCP server can provide `host-name` (and potentially routing-related options) containing shell metacharacters, which are persisted into these scripts and executed as root.
Relevant CWEs:
CWE-78: Improper Neutralization of Special Elements used in an OS Command.

CWE-94: Improper Control of Generation of Code (dynamic shell script generation from untrusted input).




Reproduction steps






1. Build/initramfs boot path that uses `35network-legacy` and `dhclient` (`ip=dhcp`, `rd.neednet=1`).
2. On the same L2 segment, run a DHCP server that returns a malicious host-name, for example: 
`host-name = "pwn; touch /tmp/dracut_poc #"`
3. Boot the target so DHCP reaches `BOUND`.
4. Observe generated script content (in initramfs shell): 
`/tmp/net.<iface>.hostname` contains injected shell syntax.
5. Wait for `setup_net` / initqueue processing; verify `/tmp/dracut_poc` exists, proving command execution as root.


Proposed fix (example patch)






```diff
diff --git a/modules.d/35network-legacy/dhclient-script.sh b/modules.d/35network-legacy/dhclient-script.sh
@@ -72,7 +72,10 @@ setup_interface() {
[ -n "$hostname" ] && echo "echo ${hostname%."$domain"}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net."$netif".hostname
+ if [ -n "$hostname" ]; then
+ safe_hostname=$(printf '%s' "${hostname%."$domain"}${domain:+.$domain}")
+ printf 'echo %q > /proc/sys/kernel/hostname\n' "$safe_hostname" > /tmp/net."$netif".hostname
+ fi
@@ -54,7 +57,7 @@ setup_interface() {

echo ip route replace default via "$main_gw" dev "$netif" >> /tmp/net."$netif".gw
+ printf 'ip route replace default via %q dev %q\n' "$main_gw" "$netif" >> /tmp/net."$netif".gw
 if [ -n "$other_gw" ]; then
 for g in $other_gw; do

echo ip route add default via "$g" dev "$netif" >> /tmp/net."$netif".gw
+ printf 'ip route add default via %q dev %q\n' "$g" "$netif" >> /tmp/net."$netif".gw
 done
 fi
@@ -159,7 +162,7 @@ parse_option_121() {

echo "/sbin/ip route replace $temp_result"
+ printf '/sbin/ip route replace %q\n' "$temp_result"
 done
 }
```


Longer-term, avoiding dynamic shell script generation for DHCP-derived values would be safer.


CVSS 3.1 estimate






*Score:* 8.8 (HIGH) 

*Vector:* `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`


Brief rationale:
*AV:A*: attacker must be on adjacent network (DHCP domain).

*AC:L*: straightforward malicious DHCP response.

*PR:N*: no prior auth required.

*UI:N*: no user interaction.

*S:U*: impact within same trust scope.

*C/I/A:H*: root command execution in initramfs can fully compromise boot/network behavior and availability.


------
This report was generated using AI technology. Always review AI-generated content prior to use