1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
Rule:
--
Sid:
100000134
--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in Tcpdump. In particular, this event indicates that the exploit
was attempted via a malformed Resource Reservation Protocol (RSVP) packet.
--
Impact:
Serious. Denial of Service (DoS). Code execution may be possible.
--
Detailed Information:
Tcpdump is a packet capture utility used on various BSD, Linux and UNIX style
operating systems.
An error in the processing of the payload length in an RSVP packet may prevent
an attacker with the opportunity to overflow a fixed length buffer and execute
code of their choosing in the context of the user running tcpdump. This is
normally the super-user or administrator when tcpdump is used to sniff data
directly from a network interface.
--
Affected Systems:
Tcpdump 3.9.1 and prior
Ethereal 0.10.10 and prior
--
Attack Scenarios:
An attacker need to craft an RSVP packet with a packet payload length of 0 to
cause the overflow to manifest itself.
--
Ease of Attack:
Simple. Exploit code exists.
--
False Positives:
None Known
--
False Negatives:
None Known
--
Corrective Action:
Apply the appropriate vendor supplied patch
Upgrade to the latest non-affected version of the software.
--
Contributors:
Sourcefire Vulnerability Research Team
Alex Kirk <akirk@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
