[21622] in bugtraq
Re: FreeBSD-SA-01:48: tcpdump contains remote buffer overflow
daemon@ATHENA.MIT.EDU (antirez)
Wed Jul 18 17:57:06 2001
Date: Wed, 18 Jul 2001 22:10:46 +0200
From: antirez <antirez@invece.org>
To: aleph1@securityfocus.com
Cc: bugtraq@securityfocus.com
Message-ID: <20010718221046.M1564@blu>
Reply-To: antirez <antirez@invece.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010718123715.D10132@securityfocus.com>; from aleph1@securityfocus.com on Wed, Jul 18, 2001 at 12:37:15PM -0600
On Wed, Jul 18, 2001 at 12:37:15PM -0600, aleph1@securityfocus.com wrote:
> II. Problem Description
[snip]
> buffer causing the local tcpdump process to crash. In addition, it
> may be possible to execute arbitrary code with the privileges of the
> user running tcpdump, often root.
We see buffer overflows and other security problems in
code that run as root only to access the data link layer
or similar interfaces many times. Think to tcpdump,
ping, traceroute, ...
Almost all the people in this list know how is possible to
gain the access to the privileged resource in the
first lines of code, since in unix usually if you open
the device you take the interface, than drop the privileges. This
will mitigate a bit this kind of vulnerabilities and
is very simple to do. Maybe all the programs that
don't do this should be modified: very little effort but
a relative enhancment in security.
Sure, there are operating system extensions that
can handle the problem better, like capabilities, but
maybe is important to remember that often setuid() & co.
are a way to reach a similar effect in a portable way.
regards,
antirez
--
Salvatore Sanfilippo <antirez@invece.org>
http://www.kyuzz.org/antirez
finger antirez@tella.alicom.com for PGP key
28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF
