tcpdump AFS ACL Packet Buffer Overflow Vulnerability

tcpdump is a popular network monitoring tool used for watching network traffic written by the Lawrence Berkeley Laboratory. It must at least begin execution as root since it opens and reads from the link layer interface (through pcap). It is usually run directly by/as root.

tcpdump is vulnerable to a remotely exploitable buffer overflow in it's parsing of AFS ACL packets. This is likely the result of the AFS packet fields received over a network interface being copied into memory buffers of predefined length without checks for size. The excessive data could be used to overwrite stack variables if constructed correctly and allow the attacker (who would have sent the custom ACL packets) to gain remote access to the victim host.

Exploitation of this vulnerability would likely yield root access for the perpetrator.


 

Privacy Statement
Copyright 2010, SecurityFocus