Title: TCPDump AFS Signed Integer Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
tcpdump is a freely available software package designed for analyzing network traffic in real-time.
A problem in tcpdump could lead to the execution of arbitrary code. tcpdump is usually run by root. Therefore, exploitation of this vulnerability could lead to the execution of code as the root user, making it possible for a remote user to gain local administrative access on a vulnerable system.
tcpdump is vulnerable to a buffer overflow in the handling of AFS data. The buffer overflow condition exists in the processing of strings in AFS packets. Strings in AFS packets are preceeded by a length value. This 4 byte length value is treated by tcpdump as a signed integer type.
When a string is to be copied from the packet buffer to a local variable, the strncpy() function is used. Strncpy() allows programmers to place a limit on the amount of data that can be copied.
The length argument of the string is passed to strncpy() as the maximum length argument if it is smaller than the maximum permissable string length. Because the value is interpreted as a signed integer type, it will be passed to strncpy() if it is negative as it is "lower" numerically than the maximum string length value and will pass the check that compares them.
Strncpy() interprets the length argument as an unsigned integer type. It is therefore possible to cause a buffer overflow condition using strncpy() by exploiting this vulnerability. Attackers can bypass the check by supplying a negative value and have it interpreted as an unsigned value by strncpy(). With control of the copy limit argument, attackers can allow for a possibly exploitable buffer overflow condition to occur.
At the very least, attackers can cause tcpdump to crash due to a segmentation violation. It may be possible to execute arbitrary code by overwriting a function return address.
Affected Products:
- Caldera OpenLinux Server 3.1.0
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.0
- Caldera OpenLinux Workstation 3.1.1
- Conectiva Linux 5.0.0
- Conectiva Linux 5.1.0
- Conectiva Linux 6.0.0
- Conectiva Linux 7.0.0
- Conectiva Linux 8.0.0
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Debian Linux 3.0.0
- Debian Linux 3.0.0 alpha
- Debian Linux 3.0.0 arm
- Debian Linux 3.0.0 hppa
- Debian Linux 3.0.0 ia-32
- Debian Linux 3.0.0 ia-64
- Debian Linux 3.0.0 m68k
- Debian Linux 3.0.0 mips
- Debian Linux 3.0.0 mipsel
- Debian Linux 3.0.0 ppc
- Debian Linux 3.0.0 s/390
- Debian Linux 3.0.0 sparc
- FreeBSD FreeBSD 4.0.0
- FreeBSD FreeBSD 4.1.0
- FreeBSD FreeBSD 4.1.1
- FreeBSD FreeBSD 4.2.0
- FreeBSD FreeBSD 4.3.0
- HP Secure OS software for Linux 1.0.0
- LBL tcpdump 3.6.2
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Linux Mandrake 7.1.0
- MandrakeSoft Linux Mandrake 7.2.0
- MandrakeSoft Linux Mandrake 8.0.0
- MandrakeSoft Linux Mandrake 8.1.0
- MandrakeSoft Linux Mandrake 8.2.0
- MandrakeSoft Single Network Firewall 7.2.0
- RedHat Linux 6.2.0 alpha
- RedHat Linux 6.2.0 i386
- RedHat Linux 6.2.0 sparc
- RedHat Linux 7.0.0 alpha
- RedHat Linux 7.0.0 i386
- RedHat Linux 7.1.0 alpha
- RedHat Linux 7.1.0 i386
- RedHat Linux 7.1.0 ia64
- RedHat Linux 7.2.0 i386
- RedHat Linux 7.2.0 ia64
- S.u.S.E. Linux 8.0.0
- Trustix Secure Linux 1.1.0
- Trustix Secure Linux 1.2.0
- Trustix Secure Linux 1.5.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
