CVE-2011-0997

ISC DHCP 3.0.x-4.2.x - Remote Code Execution via DHCP Hostname Shell Metacharacters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-0997. PoCs published by Pierre Kim, including Metasploit module lib/rex/proto/dhcp/server.

AI-analyzed exploit summary The exploit demonstrates multiple RCE vulnerabilities in 15 TOTOLINK router models, allowing command execution via HTTP and DHCP requests. It includes functional PoC code and detailed technical analysis of the vulnerabilities.

Description

dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.

Exploits (2)

exploitdb WORKING POC
by Pierre Kim · textwebappshardware
https://www.exploit-db.com/exploits/37623

The exploit demonstrates multiple RCE vulnerabilities in 15 TOTOLINK router models, allowing command execution via HTTP and DHCP requests. It includes functional PoC code and detailed technical analysis of the vulnerabilities.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TOTOLINK routers (multiple models)
No auth needed
Prerequisites: Network access to the target router
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/dhcp/server.rb

This is a functional DHCP server implementation in Ruby, extended to exploit CVE-2011-0997, a vulnerability in the PXE boot process. The code includes specific logic to serve malicious PXE configurations, enabling remote code execution on vulnerable clients.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PXE boot clients (various versions)
No auth needed
Prerequisites: Network access to DHCP clients · Vulnerable PXE boot implementation
devstral-2 · analyzed Mar 13, 2026 Full analysis →

References (35)

Core 35
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/47176
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0886
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44103
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-0840.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44037
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=689832
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0926
Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=133226187115472&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44127
Third Party Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:073
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0909
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/71493
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44090
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44048
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058279.html
Patch, Vendor Advisory x_refsource_confirm
https://www.isc.org/software/dhcp/advisories/cve-2011-0997
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/66580
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0879
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/107886
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1025300
Third Party Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/1000
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0915
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0965
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37623/
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201301-06.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44180
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2217
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1108-1
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2216
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057888.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-0428.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44089

Scores

EPSS 0.7350
EPSS Percentile 98.8%

Details

CWE
CWE-20
Status published
Products (19)
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 8.04
canonical/ubuntu_linux 9.10
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 10.10
debian/debian_linux 5.0
debian/debian_linux 6.0
debian/debian_linux 7.0
isc/dhcp 3.0
isc/dhcp 3.0.1 (13 CPE variants)
... and 9 more
Published Apr 08, 2011
Tracked Since Feb 18, 2026