[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : tcpdump contains remote vulnerabilities [REISSUED]

Title: tcpdump contains remote vulnerabilities [REISSUED]
Released by: FreeBSD
Date: 6th November 2000
Printable version: Click here


FreeBSD-SA-00:61                                           Security Advisory

                                                                FreeBSD, Inc.

Topic:          tcpdump contains remote vulnerabilities [REISSUED]

Category:       core

Module:         tcpdump

Announced:      2000-10-31

Reissued: 2000-11-06

Credits: Discovered during internal auditing.

Affects:        All releases of FreeBSD 3.x, 4.x prior to 4.2

                FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the

                correction date

Corrected:      2000-10-04 (FreeBSD 4.1.1-STABLE)

2000-10-05 (FreeBSD 3.5.1-STABLE)

Vendor status: Patch released

FreeBSD only:   NO

0.   Revision History

v1.0  2000-10-31  Initial release

v1.1  2000-11-06  Corrected patch

I.   Background

tcpdump is a tool for monitoring network activity.

II.  Problem Description

Several overflowable buffers were discovered in the version of tcpdump

included in FreeBSD, during internal source code auditing.  Some

simply allow the remote attacker to crash the local tcpdump process,

but there is a more serious vulnerability in the decoding of AFS ACL

packets in the more recent version of tcpdump (tcpdump 3.5) included

in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow

a remote attacker to execute arbitrary code on the local system

(usually root, since root privileges are required to run tcpdump).

The former issue may be a problem for systems using tcpdump as a form

of intrusion detection system, i.e. to monitor suspicious network

activity: after the attacker crashes any listening tcpdump processes

their subsequent activities will not be observed.

All released versions of FreeBSD prior to the correction date

including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE

are vulnerable to the "remote crash" problems, and FreeBSD

4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also vulnerable to the

"remote execution" vulnerability.  Both problems were corrected in

4.1.1-STABLE prior to the release of FreeBSD 4.2-RELEASE.

III. Impact

Remote users can cause the local tcpdump process to crash, and (under

FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior

to the correction date) may be able to cause arbitrary code to be

executed as the user running tcpdump, usually root.

IV.  Workaround

Do not use vulnerable versions of tcpdump in network environments

which may contain packets from untrusted sources.

V.   Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or

3.5.1-STABLE after the respective correction dates.

2a) FreeBSD 3.x systems prior to the correction date

Download the patch and the detached PGP signature from the following

locations, and verify the signature using your PGP utility.



# cd /usr/src/contrib/tcpdump

# patch -p < /path/to/patch

# cd /usr/src/usr.sbin/tcpdump

# make depend && make all install

2b) FreeBSD 4.x systems prior to the correction date

NOTE: The patch distributed with the original version of this advisory

was incomplete and did not include all of the security fixes made to

the tcpdump utility. In particular, it did not address the remote code

execution vulnerability.

Download the patch and the detached PGP signature from the following

locations, and verify the signature using your PGP utility.



# cd /usr/src/contrib/tcpdump

# patch -p < /path/to/patch

# cd /usr/src/usr.sbin/tcpdump

# make depend && make all install


Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org







(C) 1999-2000 All rights reserved.