Blog Post

Microsoft Defender for Endpoint Blog
1 MIN READ

DynoRoot (CVE-2018-1111) exposed via Advanced Hunting

Jonathan Bar Or (JBO)'s avatar
Jonathan Bar Or (JBO)
Icon for Microsoft rankMicrosoft
Jun 09, 2018

What is DynoRoot?

DynoRoot (CVE-2018-1111) is a remote command injection present in a script included by the DHCP client in Red Hat Enterprise Linux 6 and 7.

It allows a malicious attacker to run arbitrary commands on the attacked machine, in the highest privileges.

 

How does it work?

In the affected systems, the DHCP client has a script under "/etc/NetworkManager/dispatcher.d/". That script is executed each time NetworkManager receives a DHCP response from a DHCP server.

Unfortunately, the script has a command injection, as it evaluates DHCP options sent from a rouge server:

 

Have I been breached?

In collaboration with our sensor partners, the Windows Defender Advanced Threat Protection team is monitoring your Linux machines. We have released an  Advanced Hunting query that you can run to see the processes spawned from DHCP clients, and act appropriately.

 

I'd like to watch a demo!

Our partners at Ziften and us composed a video showing the attack, as well as the advanced hunting query that shows how to hunt for DynoRoot exploitation.

Updated Nov 14, 2019
Version 2.0
Advanced hunting
Jonathan Bar Or (JBO)'s avatar
Icon for Microsoft rankMicrosoft
Joined June 07, 2018
View Profile
Microsoft Defender for Endpoint Blog

Microsoft Defender for Endpoint disrupts ransomware with industry-leading endpoint security, providing comprehensive protection across all platforms and devices.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.