Vulnerability Note VU#797201

tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets

Overview

A vulnerability exists in tcpdump that could allow an attacker to execute arbitrary code with the privileges of tcpdump, typically root.

I. Description

tcpdump is a widely-used network sniffer that is capable of decoding AFS traffic. A buffer overflow vulnerability has been discovered in tcpdump's handling of AFS RPC (Rx) packets. Rx is the proprietary remote procedure call (RPC) protocol used by AFS to communicate between AFS processes running on different systems. According to FreeBSD Security Advisory FreeBSD-SA-01:48, this vulnerability is caused by "...incorrect string length handling in the decoding of AFS RPC packets."

II. Impact

A remote attacker who is able to send crafted AFS RPC (Rx) packets may be able to execute arbitrary code or cause a denial of service on a system running tcpdump. If tcpdump is operating in promiscuous mode, the attacker only needs to send packets to the ethernet segment in which tcpdump is running. On Linux systems, tcpdump runs with root privileges. On other UNIX systems, tcpdump may run with root privileges. On Windows 2000 systems, windump can be run with user privileges.

III. Solution

Upgrade tcpdump

This vulnerability was addressed in July 2001. tcpdump3_6_rel3 and later are not vulnerable. tcpdump 3.6.2 and earlier are vulnerable. Obtain an upgraded tcpdump package or apply the appropriate patch from your vendor.

Filter AFS Traffic

Block AFS RPC (Rx) packets destined to hosts (and networks with hosts) running vulnerable versions of tcpdump. AFS services communicate on a number of UDP ports:

7000/udp fileserver

7001/udp callback (cache manager on AFS client)

7002/udp ptserver

7003/udp vlserver

7004/udp kaserver

7005/udp volserver

7007/udp bosserver

7008/udp upserver

7009/udp rmtsysd (NFS/AFS translator)

7021/udp buserver

7025-65535/udp butc (backup servers)

It may also be possible to instruct tcpdump not to decode packets that use AFS Rx port numbers (ports 7021 and >7025 are not included in this filter):

$ tcpdump not udp port 7000 or 7001 or 7002 or 7003 or 7004 or 7005 or 7006 or 7007 or 7008 or 7009

While blocking AFS Rx traffic into a network may protect internal hosts, it may not protect systems that run tcpdump at the network perimeter, such as an Intrusion Detection System (IDS). Also, it is unclear how tcpdump determines that a given packet should be decoded as an AFS Rx packet. It is likely that tcpdump does not rely on port numbers, and if this is the case then an attacker could easily bypass port filters by using non-AFS port numbers.

Systems Affected

Vendor	Status	Date Notified
Caldera	Unknown	7-Jun-2002
Conectiva	Vulnerable	7-Jun-2002
FreeBSD	Vulnerable	7-Jun-2002
MandrakeSoft	Vulnerable	7-Jun-2002
Politecnico Di Torino	Unknown	7-Jun-2002
Red Hat, Inc.	Vulnerable	7-Jun-2002
tcpdump.org	Vulnerable	12-Jun-2002

References

VU#776781
http://www.securityfocus.com/bid/3065
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:48/tcpdump-4.x.patch
http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&r2=1.23

Credit

The CERT Coordination Center thanks FreeBSD and tcpdump.org for information used in this document.

This document was written by Art Manion.

Other Information

Date Public:	2001-07-09
Date First Published:	2002-06-07
Date Last Updated:	2002-06-12
CERT Advisory:
CVE-ID(s):	CAN-2001-1279
NVD-ID(s):	CAN-2001-1279
US-CERT Technical Alerts:
Severity Metric:	10.94
Document Revision:	43

If you have feedback, comments, or additional information about this vulnerability, please send us email.