From owner-freebsd-security Sun Jul 14 3: 6:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49FDA37B400; Sun, 14 Jul 2002 03:06:19 -0700 (PDT) Received: from mail.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id A920B43E4A; Sun, 14 Jul 2002 03:06:18 -0700 (PDT) (envelope-from dr@kyx.net) Received: from zick (unknown [216.232.31.79]) by mail.kyx.net (Postfix) with ESMTP id E24C01DC03; Sun, 14 Jul 2002 03:25:45 -0700 (PDT) Content-Type: text/plain; charset="iso-8859-1" From: Dragos Ruiu Reply-To: dr@kyx.net Organization: all terrain ninjas To: "Crist J. Clark" , "Crist J. Clark" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Date: Sun, 14 Jul 2002 03:06:13 +0000 X-Mailer: KYX CP/M FNORD 5602 References: <200207122046.g6CKk2tG099856@freefall.freebsd.org> <200207131731.g6DHVRs92032@lurza.secnetix.de> <20020714085734.GD56656@blossom.cjclark.org> In-Reply-To: <20020714085734.GD56656@blossom.cjclark.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200207140306.13058.dr@kyx.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Or as a workaround use snort. It's been heavily audited and has a much smaller and easier to debug decode engine. Save files off line and use ethereal if the minimal decode engine is insufficient. Run chrooted if feeling insecure still. (see man page and faq) cheers, --dr Sigh... and I thought tcpdump had been through the fires.... It's gonna wind up giving sendmail a run for the money=20 for the "Pit of Infinite Flaws" title :-). On July 14, 2002 08:57 am, Crist J. Clark wrote: > On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote: > > FreeBSD Security Advisories wrote: > > > [...] > > > IV. Workaround > > > > > > There is no workaround, other than not using tcpdump. > > > > Well, you can at least set up the system in a way so you > > don't have to run tcpdump as root: Create a special group, > > chgrp /dev/bpf* to that group and make them group-readable > > (writable is not required). Then add all users to that > > group which should be allowed to use tcpdump. > > tcpdump(8) can still be exploited to run abitrary code as that user. > > > An even better approach would be to create a pseudo user > > (similar to the nobody user) which is a member of the > > tcpdump group, and write a small wrapper script which > > uses /usr/bin/su to call tcpdump as that pseudo-user. > > > > Of course, that's only a quick workaround, not a solution. > > It's not really a workaround, it just mitigates the potential for > damage should the bug be exploited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message