Description |
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
If an attacker has access to a local unprivileged user account, and the Kea API entry points are not secured, the attacker can instruct Kea to load a hook library from an arbitrary local file (including a file introduced by the attacker). The malicious hook would execute with the privileges available to Kea. |