Wow, that’s pretty nasty. The attacker is essentially spoofing the DHCP server’s response, which the DHCP client accepts because the client’s XID is generated by an inadequately-seeded RNG. Since e.g. the public key of the root user is ultimately fetched from a server configured via DHCP (with no further authentication, etc.), pwnage follows.
Wow, that’s pretty nasty. The attacker is essentially spoofing the DHCP server’s response, which the DHCP client accepts because the client’s XID is generated by an inadequately-seeded RNG. Since e.g. the public key of the root user is ultimately fetched from a server configured via DHCP (with no further authentication, etc.), pwnage follows.
Nice find!