Vulnerability Note VU#797201

tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets

Original Release date: 07 Jun 2002 | Last revised: 12 Jun 2002

Overview

A vulnerability exists in tcpdump that could allow an attacker to execute arbitrary code with the privileges of tcpdump, typically root.

Description

tcpdump is a widely-used network sniffer that is capable of decoding AFS traffic. A buffer overflow vulnerability has been discovered in tcpdump's handling of AFS RPC (Rx) packets. Rx is the proprietary remote procedure call (RPC) protocol used by AFS to communicate between AFS processes running on different systems. According to FreeBSD Security Advisory FreeBSD-SA-01:48, this vulnerability is caused by "...incorrect string length handling in the decoding of AFS RPC packets."

Impact

A remote attacker who is able to send crafted AFS RPC (Rx) packets may be able to execute arbitrary code or cause a denial of service on a system running tcpdump. If tcpdump is operating in promiscuous mode, the attacker only needs to send packets to the ethernet segment in which tcpdump is running. On Linux systems, tcpdump runs with root privileges. On other UNIX systems, tcpdump may run with root privileges. On Windows 2000 systems, windump can be run with user privileges.

Solution

Upgrade tcpdump

This vulnerability was addressed in July 2001. tcpdump3_6_rel3 and later are not vulnerable. tcpdump 3.6.2 and earlier are vulnerable. Obtain an upgraded tcpdump package or apply the appropriate patch from your vendor.


Filter AFS Traffic

Block AFS RPC (Rx) packets destined to hosts (and networks with hosts) running vulnerable versions of tcpdump. AFS services communicate on a number of UDP ports:

    7000/udp fileserver
    7001/udp callback (cache manager on AFS client)
    7002/udp ptserver  
    7003/udp vlserver
    7004/udp kaserver
    7005/udp volserver
    7007/udp bosserver
    7008/udp upserver
    7009/udp rmtsysd (NFS/AFS translator)
    7021/udp buserver
    7025-65535/udp butc (backup servers)

It may also be possible to instruct tcpdump not to decode packets that use AFS Rx port numbers (ports 7021 and >7025 are not included in this filter):

$ tcpdump not udp port 7000 or 7001 or 7002 or 7003 or 7004 or 7005 or 7006 or 7007 or 7008 or 7009

While blocking AFS Rx traffic into a network may protect internal hosts, it may not protect systems that run tcpdump at the network perimeter, such as an Intrusion Detection System (IDS). Also, it is unclear how tcpdump determines that a given packet should be decoded as an AFS Rx packet. It is likely that tcpdump does not rely on port numbers, and if this is the case then an attacker could easily bypass port filters by using non-AFS port numbers.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ConectivaAffected-07 Jun 2002
FreeBSDAffected-07 Jun 2002
MandrakeSoftAffected-07 Jun 2002
Red Hat, Inc.Affected-07 Jun 2002
tcpdump.orgAffected-12 Jun 2002
CalderaUnknown-07 Jun 2002
Politecnico Di TorinoUnknown-07 Jun 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks FreeBSD and tcpdump.org for information used in this document.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2001-1279
  • Date Public: 09 Jul 2001
  • Date First Published: 07 Jun 2002
  • Date Last Updated: 12 Jun 2002
  • Severity Metric: 10.94
  • Document Revision: 43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.