Red Hat Linux tcpdump Privilege Retention Weakness

info
discussion
exploit
solution
references

Red Hat Linux tcpdump Privilege Retention Weakness

By design, tcpdump on Red Hat Linux should lower its privileges from root to user pcap after it has begun reading from an interface. Due to a compilation error, this did not correctly occur unless manually specified at runtime with a command-line parameter. As a result tcpdump may run on systems with root privileges when administrators assume they've been dropped.