Vulnerability Note VU#797201
tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets
A vulnerability exists in tcpdump that could allow an attacker to execute arbitrary code with the privileges of tcpdump, typically root.
tcpdump is a widely-used network sniffer that is capable of decoding AFS traffic. A buffer overflow vulnerability has been discovered in tcpdump's handling of AFS RPC (Rx) packets. Rx is the proprietary remote procedure call (RPC) protocol used by AFS to communicate between AFS processes running on different systems. According to FreeBSD Security Advisory FreeBSD-SA-01:48, this vulnerability is caused by "...incorrect string length handling in the decoding of AFS RPC packets."
A remote attacker who is able to send crafted AFS RPC (Rx) packets may be able to execute arbitrary code or cause a denial of service on a system running tcpdump. If tcpdump is operating in promiscuous mode, the attacker only needs to send packets to the ethernet segment in which tcpdump is running. On Linux systems, tcpdump runs with root privileges. On other UNIX systems, tcpdump may run with root privileges. On Windows 2000 systems, windump can be run with user privileges.
7001/udp callback (cache manager on AFS client)
7009/udp rmtsysd (NFS/AFS translator)
7025-65535/udp butc (backup servers)
It may also be possible to instruct tcpdump not to decode packets that use AFS Rx port numbers (ports 7021 and >7025 are not included in this filter):
$ tcpdump not udp port 7000 or 7001 or 7002 or 7003 or 7004 or 7005 or 7006 or 7007 or 7008 or 7009
While blocking AFS Rx traffic into a network may protect internal hosts, it may not protect systems that run tcpdump at the network perimeter, such as an Intrusion Detection System (IDS). Also, it is unclear how tcpdump determines that a given packet should be decoded as an AFS Rx packet. It is likely that tcpdump does not rely on port numbers, and if this is the case then an attacker could easily bypass port filters by using non-AFS port numbers.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Conectiva||Affected||-||07 Jun 2002|
|FreeBSD||Affected||-||07 Jun 2002|
|MandrakeSoft||Affected||-||07 Jun 2002|
|Red Hat, Inc.||Affected||-||07 Jun 2002|
|tcpdump.org||Affected||-||12 Jun 2002|
|Caldera||Unknown||-||07 Jun 2002|
|Politecnico Di Torino||Unknown||-||07 Jun 2002|
CVSS Metrics (Learn More)
This document was written by Art Manion.
- CVE IDs: CAN-2001-1279
- Date Public: 09 Jul 2001
- Date First Published: 07 Jun 2002
- Date Last Updated: 12 Jun 2002
- Severity Metric: 10.94
- Document Revision: 43
If you have feedback, comments, or additional information about this vulnerability, please send us email.