[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : tcpdump contains remote vulnerabilities [REISSUED]

Title: tcpdump contains remote vulnerabilities [REISSUED]
Released by: FreeBSD
Date: 6th November 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----



=============================================================================

FreeBSD-SA-00:61                                           Security Advisory

                                                                FreeBSD, Inc.



Topic:          tcpdump contains remote vulnerabilities [REISSUED]



Category:       core

Module:         tcpdump

Announced:      2000-10-31

Reissued: 2000-11-06

Credits: Discovered during internal auditing.

Affects:        All releases of FreeBSD 3.x, 4.x prior to 4.2

                FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the

                correction date

Corrected:      2000-10-04 (FreeBSD 4.1.1-STABLE)

2000-10-05 (FreeBSD 3.5.1-STABLE)

Vendor status: Patch released

FreeBSD only:   NO



0.   Revision History



v1.0  2000-10-31  Initial release

v1.1  2000-11-06  Corrected patch



I.   Background



tcpdump is a tool for monitoring network activity.



II.  Problem Description



Several overflowable buffers were discovered in the version of tcpdump

included in FreeBSD, during internal source code auditing.  Some

simply allow the remote attacker to crash the local tcpdump process,

but there is a more serious vulnerability in the decoding of AFS ACL

packets in the more recent version of tcpdump (tcpdump 3.5) included

in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow

a remote attacker to execute arbitrary code on the local system

(usually root, since root privileges are required to run tcpdump).



The former issue may be a problem for systems using tcpdump as a form

of intrusion detection system, i.e. to monitor suspicious network

activity: after the attacker crashes any listening tcpdump processes

their subsequent activities will not be observed.



All released versions of FreeBSD prior to the correction date

including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE

are vulnerable to the "remote crash" problems, and FreeBSD

4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also vulnerable to the

"remote execution" vulnerability.  Both problems were corrected in

4.1.1-STABLE prior to the release of FreeBSD 4.2-RELEASE.



III. Impact



Remote users can cause the local tcpdump process to crash, and (under

FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior

to the correction date) may be able to cause arbitrary code to be

executed as the user running tcpdump, usually root.



IV.  Workaround



Do not use vulnerable versions of tcpdump in network environments

which may contain packets from untrusted sources.



V.   Solution



One of the following:



1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or

3.5.1-STABLE after the respective correction dates.



2a) FreeBSD 3.x systems prior to the correction date



Download the patch and the detached PGP signature from the following

locations, and verify the signature using your PGP utility.



http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch

http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc



# cd /usr/src/contrib/tcpdump

# patch -p < /path/to/patch

# cd /usr/src/usr.sbin/tcpdump

# make depend && make all install



2b) FreeBSD 4.x systems prior to the correction date



NOTE: The patch distributed with the original version of this advisory

was incomplete and did not include all of the security fixes made to

the tcpdump utility. In particular, it did not address the remote code

execution vulnerability.



Download the patch and the detached PGP signature from the following

locations, and verify the signature using your PGP utility.



http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1

http://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1.asc



# cd /usr/src/contrib/tcpdump

# patch -p < /path/to/patch

# cd /usr/src/usr.sbin/tcpdump

# make depend && make all install

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org



iQCVAwUBOgcNKFUuHi5z0oilAQGYQAP9F00eE4rd0M46f8WMWTO7uFb1gV2p4Y0l

KV0vT1wMy+PdmFNpo7SVrb/tdpa4Wtxb/Q/tu7RDZQqFI29yBPTFnE1iu8T2BSAm

cO/dE5ypkjJkEjf8QjxqQXVhTbtIVVQa3Tosw3AdUFP0gKHUkZ36ryCQVxbqRMQK

c0ZkdbwESp8=

=uaOo

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.