{"vuid":"VU#797201","idnumber":"797201","name":"tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets","keywords":["tcpdump","integer overflow","afs","rpc","signed integer","print-rx.c","RX","STROUT()","sniffer","decode","buffer overflow"],"overview":"A vulnerability exists in tcpdump that could allow an attacker to execute arbitrary code with the privileges of tcpdump, typically root.","clean_desc":"tcpdump is a widely-used network sniffer that is capable of decoding AFS traffic. A buffer overflow vulnerability has been discovered in tcpdump's handling of AFS RPC (Rx) packets. Rx is the proprietary remote procedure call (RPC) protocol used by AFS to communicate between AFS processes running on different systems. According to FreeBSD Security Advisory FreeBSD-SA-01:48, this vulnerability is caused by \"...incorrect string length handling in the decoding of AFS RPC packets.\"","impact":"A remote attacker who is able to send crafted AFS RPC (Rx) packets may be able to execute arbitrary code or cause a denial of service on a system running tcpdump. If tcpdump is operating in promiscuous mode, the attacker only needs to send packets to the ethernet segment in which tcpdump is running. On Linux systems, tcpdump runs with root privileges. On other UNIX systems, tcpdump may run with root privileges. On Windows 2000 systems, windump can be run with user privileges.","resolution":"Upgrade tcpdump This vulnerability was addressed in July 2001. tcpdump3_6_rel3 and later are not vulnerable. tcpdump 3.6.2 and earlier are vulnerable. Obtain an upgraded tcpdump package or apply the appropriate patch from your vendor.","workarounds":"Filter AFS Traffic Block AFS RPC (Rx) packets destined to hosts (and networks with hosts) running vulnerable versions of tcpdump. AFS services communicate on a number of UDP ports: 7000/udp fileserver\n7001/udp callback (cache manager on AFS client)\n7002/udp ptserver  \n7003/udp vlserver\n7004/udp kaserver\n7005/udp volserver\n7007/udp bosserver\n7008/udp upserver\n7009/udp rmtsysd (NFS/AFS translator)\n7021/udp buserver\n7025-65535/udp butc (backup servers) It may also be possible to instruct tcpdump not to decode packets that use AFS Rx port numbers (ports 7021 and >7025 are not included in this filter): $ tcpdump not udp port 7000 or 7001 or 7002 or 7003 or 7004 or 7005 or 7006 or 7007 or 7008 or 7009 While blocking AFS Rx traffic into a network may protect internal hosts, it may not protect systems that run tcpdump at the network perimeter, such as an Intrusion Detection System (IDS). Also, it is unclear how tcpdump determines that a given packet should be decoded as an AFS Rx packet. It is likely that tcpdump does not rely on port numbers, and if this is the case then an attacker could easily bypass port filters by using non-AFS port numbers.","sysaffected":"","thanks":"The CERT Coordination Center thanks \nFreeBSD\n and \ntcpdump.org\n for information used in this document.","author":"This document was written by Art Manion.","public":["http://www.securityfocus.com/bid/3065","ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc","ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:48/tcpdump-4.x.patch","http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&r2=1.23"],"cveids":["CVE-2001-1279"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-07-17T19:45:14Z","publicdate":"2001-07-09T00:00:00Z","datefirstpublished":"2002-06-07T22:17:07Z","dateupdated":"2002-06-12T21:15:48Z","revision":45,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"12","cam_impact":"18","cam_easeofexploitation":"9","cam_attackeraccessrequired":"15","cam_scorecurrent":"10.935","cam_scorecurrentwidelyknown":"13.66875","cam_scorecurrentwidelyknownexploited":"24.60375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":10.935,"vulnote":null}