The 2011 Pwnie Nominee For Best Server-Side Bug

ISC dhclient metacharacter injection (CVE-2011-0997)

Credit: Sebastian Krahmer and Marius Tomaschewski

The ISC dhclient did not strip or escape certain shell meta-characters in responses from the DHCP server before passing the responses on to a shell script. Depending on the script used by the OS, this could result in arbitrary code execution on the client. Using this vulnerability, a single rogue DHCP server could exploit the entire local network.