Re: FreeBSD-SA-01:48: tcpdump contains remote buffer overflow

[antirez <antirez () invece org>]

On Wed, Jul 18, 2001 at 12:37:15PM -0600, aleph1 () securityfocus com wrote:
> II.  Problem Description
[snip]
> buffer causing the local tcpdump process to crash.  In addition, it
> may be possible to execute arbitrary code with the privileges of the
> user running tcpdump, often root.

We see buffer overflows and other security problems in
code that run as root only to access the data link layer
or similar interfaces many times. Think to tcpdump,
ping, traceroute, ...

Almost all the people in this list know how is possible to
gain the access to the privileged resource in the
first lines of code, since in unix usually if you open
the device you take the interface, than drop the privileges. This
will mitigate a bit this kind of vulnerabilities and
is very simple to do. Maybe all the programs that
don't do this should be modified: very little effort but
a relative enhancment in security.

Sure, there are operating system extensions that
can handle the problem better, like capabilities, but
maybe is important to remember that often setuid() & co.
are a way to reach a similar effect in a portable way.

regards,
antirez

-- 
Salvatore Sanfilippo <antirez () invece org>
http://www.kyuzz.org/antirez
finger antirez () tella alicom com for PGP key
28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF