-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: tcpflow 0.2.0 Format String Vulnerability Release Date: 08/07/2003 Application: tcpflow Platform: UNIX Severity: High or None (See Below) Author: Dave G. Vendor Status: Vendor has fixed version CVE Candidate: CAN-2003-0671 Reference: www.atstake.com/research/advisories/2003/a080703-2.txt Overview: tcpflow is a network monitoring tool that records TCP sessions in an easy to use and view manner. This tool contains a format string vulnerability that is typically unexploitable. However, there has been at least a couple of network management tools (IPNetMonitorX and IPNetSentryX) that allowed for this vulnerability to be successfully exploited. - - -IMPORTANT NOTE- This advisory is being released to inform other developers that may rely on this tool, and to serve as an addendum to the @stake advisory entitled: "Sustworks Unauthorized Network Monitoring and tcpflow Format String Attack." Details: tcpflow contains an exploitable format string vulnerability during the opening of a device via libpcap. This code snippet is from the current version of tcpflow: - - From tcpflow:main.c - - ------------------- /* make sure we can open the device */ if ((pd = pcap_open_live(device, SNAPLEN, !no_promisc, 1000, error)) == NULL) die(error); /* drop root privileges - we don't need them any more */ setuid(getuid()); As we can see, if the call to pcap_open_live() fails, the error message will be passed to an error handling and cleanup function called die(). This happens just before privileges are dropped by the application. Looking at the code snippets below, we can see that this error message will get passed as the format string to the vfprintf() call inside of print_debug_message(). Since the device name is included as part of the libpcap error, and device is specified by the user, an attacker can input format specifiers into vfprintf(). - - From tcpflow:util.c - - ------------------- void die(char *fmt, ...) { va_list ap; va_start(ap, fmt); print_debug_message(fmt, ap); exit(1); } /* * Print a debugging message, given a va_list */ void print_debug_message(char *fmt, va_list ap) { /* print debug prefix */ fprintf(stderr, "%s: ", debug_prefix); /* print the var-arg buffer passed to us */ vfprintf(stderr, fmt, ap); /* add newline */ fprintf(stderr, "\n"); (void) fflush(stderr); } To test if your version of tcpflow is vulnerable, simply execute tcpflow as root with the command line argument of -i %x%x%x%x%x%x. If the tcpflow error message contains a large hexadecimal string, your version is vulnerable. For example: bash-2.05a$ sudo bash bash-2.05a# tcpflow -i %x%x%x%x%x%x tcpflow[1195]: BIOCSETIF: 1a45017646365206e1a010365c: Device not configured Vendor Response: There is an updated version of tcpflow available from http://www.circlemud.org/~jelson/software/tcpflow. Recommendation: Upgrade tcpflow and ensure that it is not setuid root. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0671 tcpflow format string vulnerability through RunTCPFlow @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPzK7SEe9kNIfAm4yEQLIQgCg2FsuanlbSV/45hkgxBOE8GvKOlsAoKQt TgybHf+i2Zo041zjMRMEOZCx =B4H2 -----END PGP SIGNATURE-----