COMMAND
tcpdump
SYSTEMS AFFECTED
Those running tcpdump
PROBLEM
Following is based on a FreeBSD-SA-00:61 Security Advisory.
Several overflowable buffers were discovered in the version of
tcpdump included in FreeBSD, during internal source code auditing.
Some simply allow the remote attacker to crash the local tcpdump
process, but there is a more serious vulnerability in the
decoding of AFS ACL packets in the more recent version of tcpdump
(tcpdump 3.5) included in FreeBSD 4.0-RELEASE, 4.1-RELEASE and
4.1.1-RELEASE, which may allow a remote attacker to execute
arbitrary code on the local system (usually root, since root
privileges are required to run tcpdump).
The former issue may be a problem for systems using tcpdump as a
form of intrusion detection system, i.e. to monitor suspicious
network activity: after the attacker crashes any listening
tcpdump processes their subsequent activities will not be
observed.
All released versions of FreeBSD prior to the correction date
including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and
4.1.1-RELEASE are vulnerable to the "remote crash" problems, and
FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also
vulnerable to the "remote execution" vulnerability. Both problems
were corrected in 4.1.1-STABLE prior to the release of FreeBSD
4.2-RELEASE.
Remote users can cause the local tcpdump process to crash, and
(under FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and
4.1.1-STABLE prior to the correction date) may be able to cause
arbitrary code to be executed as the user running tcpdump,
usually root.
SOLUTION
For FreeBSD:
1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or
3.5.1-STABLE after the respective correction dates.
2a) FreeBSD 3.x systems prior to the correction date
Download the patch and the detached PGP signature from the
following locations, and verify the signature using your
PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc
# cd /usr/src/contrib/tcpdump
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/tcpdump
# make depend && make all install
2b) FreeBSD 4.x systems prior to the correction date
Download the patch and the detached PGP signature from the
following locations, and verify the signature using your
PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1.asc
# cd /usr/src/contrib/tcpdump
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/tcpdump
# make depend && make all install
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libpcapn-0.4a6-279.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/tcpdump-3.4a6-280.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libpcapn-0.4a6-279.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/tcpdump-3.4a6-280.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libpcapn-0.4a6-279.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/tcpdump-3.4a6-280.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libpcapn-0.4a6-279.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/tcpdump-3.4a6-280.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libpcapn-0.4a6-279.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/tcpdump-3.4a6-280.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libpcapn-0.4a6-279.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/tcpdump-3.4a6-280.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libpcapn-0.4a6-279.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/tcpdump-3.4a6-280.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libpcapn-0.4a6-280.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/tcpdump-3.4a6-281.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/tcpdump-3.4a6-281.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/d1/libpcapn-0.4a6-279.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/tcpdump-3.4a6-280.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libpcapn-0.4a6-279.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/tcpdump-3.4a6-280.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm
For Debian Linux:
http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6-4.2.diff.gz
http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6-4.2.dsc
http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/tcpdump_3.4a6-4.2_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/tcpdump_3.4a6-4.2_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/tcpdump_3.4a6-4.2_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/tcpdump_3.4a6-4.2_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcpdump_3.4a6-4.2_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/tcpdump_3.4a6-4.2_sparc.deb