The return value of a call to snprintf is not sanitized before being used in an addition to calculate the number of bytes remaining the buffer within a loop. The result is a remotely exploitable buffer overflow since the length calculation will eventually underflow and thus make the length parameter of subsequent snprintf calls irrelevant. mu-b@mu-b ~ $ sudo gdb /usr/sbin/tcpdump GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... (no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r -i lo -s 16384 -vvv Starting program: /usr/sbin/tcpdump -i lo -s 16384 -vvv tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 16384 bytes 15:46:54.464044 IP (tos 0x0, ttl 255, id 29122, offset 0, flags [none], proto: TCP (6), length: 552) 1.2.3.4.65535 > mu-b.65535.com.bgp: P, cksum 0x0000 (incorrect (-> 0x01c9), 1732610923:1732611435(512) win 0: BGP, length: 512 Update Message (2), length: 512 Multi-Protocol Reach NLRI (14), length: 255 AFI: Layer-2 VPN (196), SAFI: labeled VPN Unicast (128), nh-length: 0, no SNPA RD: unknown RD format, CE-ID: 65535, Label-Block Offset: 65535, Label Base 1048575 Program received signal SIGSEGV, Segmentation fault. 0x34313431 in ?? () (gdb) bt #0 0x34313431 in ?? () #1 0x34313431 in ?? () #2 0x34313431 in ?? () #3 0x34313431 in ?? () #4 0x34313431 in ?? () #5 0x34313431 in ?? () #6 0x34313431 in ?? () #7 0x34313431 in ?? () #8 0x34313431 in ?? () #9 0x34313431 in ?? () #10 0x34313431 in ?? () #11 0x34313431 in ?? () #12 0x34313431 in ?? () #13 0x34313431 in ?? () #14 0x34313431 in ?? () #15 0x34313431 in ?? () #16 0x34313431 in ?? () #17 0x34313431 in ?? () Reproducible: Always Steps to Reproduce: 1. run tcpdump within gdb. 2. execute the PoC against the machine. Actual Results: mu-b@mu-b ~ $ sudo gdb /usr/sbin/tcpdump GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... (no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r -i lo -s 16384 -vvv Starting program: /usr/sbin/tcpdump -i lo -s 16384 -vvv tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 16384 bytes 15:46:54.464044 IP (tos 0x0, ttl 255, id 29122, offset 0, flags [none], proto: TCP (6), length: 552) 1.2.3.4.65535 > mu-b.65535.com.bgp: P, cksum 0x0000 (incorrect (-> 0x01c9), 1732610923:1732611435(512) win 0: BGP, length: 512 Update Message (2), length: 512 Multi-Protocol Reach NLRI (14), length: 255 AFI: Layer-2 VPN (196), SAFI: labeled VPN Unicast (128), nh-length: 0, no SNPA RD: unknown RD format, CE-ID: 65535, Label-Block Offset: 65535, Label Base 1048575 Program received signal SIGSEGV, Segmentation fault. 0x34313431 in ?? () (gdb) bt #0 0x34313431 in ?? () #1 0x34313431 in ?? () #2 0x34313431 in ?? () #3 0x34313431 in ?? () #4 0x34313431 in ?? () #5 0x34313431 in ?? () #6 0x34313431 in ?? () #7 0x34313431 in ?? () #8 0x34313431 in ?? () #9 0x34313431 in ?? () #10 0x34313431 in ?? () #11 0x34313431 in ?? () #12 0x34313431 in ?? () #13 0x34313431 in ?? () #14 0x34313431 in ?? () #15 0x34313431 in ?? () #16 0x34313431 in ?? () #17 0x34313431 in ?? () a patch is provided at: http://www.digit-labs.org/files/patches/private/print-bgp.c-diff
Cool, nice find. Netmon: please comment.
tcpdump-0.9.5-r3 and tcpdump-0.9.6-r1 are in the tree. Note, in this versions I've added feature requested in bug 176391, and now tcpdump by default drop its privileges to tcpdump user. The last question I have, did anybody reported this upstream? What upstream say on the issue. Before stabilization, personally I'd like to hear them... This bug seems to be open thus, I'll ask their opinion in tcpdump-workers.
hi arches, please stable tcpdump-0.9.5-r3. thx!
hi arches, please stable tcpdump-0.9.5-r3. thx!(In reply to comment #3) > hi arches, please stable tcpdump-0.9.5-r3. thx! > bah, i'm out of training :/
Stabilize tcpdump-3.9.5-r3, and it should be open no?
sparc stable for 3.9.5-r3.
alpha/ia64/x86 stable, thanks Tobias
Stable for HPPA.
net-analyzer/tcpdump-3.9.5-r3 amd64 stable
ppc stable
mips stable.
Upstream unswered: "I reviewed the fix - it seemed a bit cleaner to have it continue processing the TLVs, without adding to the string, if the string buffer is full." I do not think we should change anythig right now, but in case we'll have another revision for this tcpdump version, I think it's worth to change the tcpdump-3.9.6-bgp-integer-overflow patch on: http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12
ppc64 stable
====================================================== Name: CVE-2007-3798 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=184815 Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet.
GLSA 200707-14, thanks everybody