Chaining ISC DHCP Server Features for Unauthenticated Root Remote Code Execution
The post shows how ISC DHCP Server can be driven to unauthenticated root RCE by chaining intended features rather than exploiting memory corruption. If omapi-port is exposed without an omapi-key, an attacker can use OMAPI to create or modify a host object and set its statements attribute, which is parsed with the normal dhcpd.conf grammar and can include execute() directives. By binding that injected host entry to a chosen hardware-address and then sending a DHCP DISCOVER with a matching chaddr, the server resolves the host during normal lease processing and runs the embedded command via fork()/execvp() as the dhcpd process user, typically root. The research is notable because it turns documented management and configuration behavior in a still-widely-deployed, root-running DHCP daemon into a practical network-to-root execution path.