From owner-freebsd-hackers Wed Jun 30 9:24:12 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id 272E0155E4; Wed, 30 Jun 1999 09:24:04 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id JAA51776; Wed, 30 Jun 1999 09:23:58 -0700 (PDT) (envelope-from mph) Date: Wed, 30 Jun 1999 09:23:58 -0700 From: Matthew Hunt To: Bill Fumerola Cc: "David O'Brien" , Bill Fumerola , hackers@FreeBSD.ORG Subject: Re: tcpdump(1) additions. Message-ID: <19990630092358.A51584@wopr.caltech.edu> References: <19990630011532.A97926@dragon.nuxi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Bill Fumerola on Wed, Jun 30, 1999 at 05:53:41AM -0400 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jun 30, 1999 at 05:53:41AM -0400, Bill Fumerola wrote: > > I should warn you though that there are some security issues with my > > tcpdump-smb patches. It is possible for a malicious user to put > > packets on the wire that will cause a buffer overflow in the SMB > > parser in that code. That could lead to a root exploit. > > > > I just haven't got around to fixing it yet. > > Hmmm.. but a non-superuser never sees any of those malicious packets, and > the program is not installed suid, so how would that happen? I think the point is that when root is running tcpdump on host A, a bad guy on host B can create a packet which makes tcpdump on A execute his code (as root, since that's who's running it). This is not desirable. -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/ * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message