search menu icon-carat-right cmu-wordmark

CERT Coordination Center


tcpdump vulnerable to buffer overflow via parsing of AFS ACL packets

Vulnerability Note VU#776781

Original Release Date: 2001-06-22 | Last Revised: 2001-06-26

Overview

Tcpdump version 3.5 contains a buffer overflow vulnerability permitting unauthorized remote root access.

Description

Tcpdump version 3.5 added support for handling AFS packets. Unfortunately the code responsible for printing AFS access control lists contains an unchecked buffer that can be overflowed by a remote attacker by sending a crafted AFS packet into the target network. Any machine on the target network that is running tcpdump with a large (> ~500) snaplen argument when the hostile packet arrives can be made to execute arbitrary code. Since tcpdump requires root privileges in order to run, the arbitrary code will also run with root privileges. Fixed in version 3.6.1.

Note that a program that successfully exploits this vulnerability was publicly released on the BugTraq mailing list on January 11, 2001.

Impact

Attackers can remotely execute arbitrary code with root privileges on a vulnerable host.

Solution

Upgrade to version 3.6.1 or greater.

Filter incoming dst UDP 7000 packets from untrusted networks. Exclude dst UDP 7000 packets from tcpdump capture, e.g. "tcpdump not udp dst port 7000".

Vendor Information

776781
Expand all

FreeBSD.org

Updated:  June 21, 2001

Status

  Vulnerable

Vendor Statement

See ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:61,tcpdump.v1.1.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  June 21, 2001

Status

  Vulnerable

Vendor Statement

See http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-056.php3?dis=7.2

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

First public disclosure by zhodiac@outlimit.org and the !Hispahack Research Team

Other Information

CVE IDs: CVE-2000-1026
Severity Metric: 16.03
Date Public: 2001-01-11
Date First Published: 2001-06-22
Date Last Updated: 2001-06-26 17:40 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.