Vulnerabilities > CVE-2007-3798 - Unchecked Return Value vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | tcpdump Print-bgp.C Remote Integer Underflow Vulnerability. CVE-2007-3798. Remote exploit for linux platform |
id | EDB-ID:30319 |
last seen | 2016-02-03 |
modified | 2007-03-01 |
published | 2007-03-01 |
reporter | mu-b |
source | https://www.exploit-db.com/download/30319/ |
title | tcpdump Print-bgp.C Remote Integer Underflow Vulnerability |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-009.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 29723 published 2007-12-18 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29723 title Mac OS X Multiple Vulnerabilities (Security Update 2007-009) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29723); script_version("1.27"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2006-0024", "CVE-2007-1218", "CVE-2007-1659", "CVE-2007-1660", "CVE-2007-1661", "CVE-2007-1662", "CVE-2007-3798", "CVE-2007-3876", "CVE-2007-4131", "CVE-2007-4351", "CVE-2007-4572", "CVE-2007-4708", "CVE-2007-4709", "CVE-2007-4710", "CVE-2007-4766", "CVE-2007-4767", "CVE-2007-4768", "CVE-2007-4965", "CVE-2007-5116", "CVE-2007-5379", "CVE-2007-5380", "CVE-2007-5398", "CVE-2007-5476", "CVE-2007-5770", "CVE-2007-5847", "CVE-2007-5848", "CVE-2007-5849", "CVE-2007-5850", "CVE-2007-5851", "CVE-2007-5853", "CVE-2007-5854", "CVE-2007-5855", "CVE-2007-5856", "CVE-2007-5857", "CVE-2007-5858", "CVE-2007-5859", "CVE-2007-5860", "CVE-2007-5861", "CVE-2007-5863", "CVE-2007-6077", "CVE-2007-6165"); script_bugtraq_id(17106, 22772, 24965, 25417, 25696, 26096, 26268, 26274, 26346, 26350, 26421, 26454, 26455, 26510, 26598, 26908, 26910, 26926); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-009)"); script_summary(english:"Check for the presence of Security Update 2007-009"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs."); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=307179"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/13649"); script_set_attribute(attribute:"solution", value:"Install Security Update 2007-009."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mail.app Image Attachment Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(16, 20, 22, 79, 119, 134, 189, 200, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if ( ! uname ) exit(0); if ( egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2007-009|200[89]-|20[1-9][0-9]-)", string:packages)) security_hole(0); } else if ( egrep(pattern:"Darwin.* (9\.[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages/boms"); if ( ! packages ) exit(0); if ( !egrep(pattern:"^com\.apple\.pkg\.update\.security\.2007\.009\.bom", string:packages) ) security_hole(0); }
NASL family Fedora Local Security Checks NASL id FEDORA_2007-654.NASL description - CVE-2007-3798 Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25839 published 2007-08-03 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25839 title Fedora Core 6 : tcpdump-3.9.4-11.fc6 (2007-654) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-654. # include("compat.inc"); if (description) { script_id(25839); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_cve_id("CVE-2007-3798"); script_xref(name:"FEDORA", value:"2007-654"); script_name(english:"Fedora Core 6 : tcpdump-3.9.4-11.fc6 (2007-654)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - CVE-2007-3798 Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-August/003059.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d2bb7183" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:arpwatch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpcap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpcap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:tcpdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:tcpdump-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC6", reference:"arpwatch-2.1a13-18.fc6")) flag++; if (rpm_check(release:"FC6", reference:"libpcap-0.9.4-11.fc6")) flag++; if (rpm_check(release:"FC6", reference:"libpcap-devel-0.9.4-11.fc6")) flag++; if (rpm_check(release:"FC6", reference:"tcpdump-3.9.4-11.fc6")) flag++; if (rpm_check(release:"FC6", reference:"tcpdump-debuginfo-3.9.4-11.fc6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / libpcap-devel / tcpdump / tcpdump-debuginfo"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0368.NASL description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump last seen 2020-06-01 modified 2020-06-02 plugin id 27828 published 2007-11-08 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27828 title RHEL 5 : tcpdump (RHSA-2007:0368) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0368. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(27828); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-1218", "CVE-2007-3798"); script_bugtraq_id(24965); script_xref(name:"RHSA", value:"2007:0368"); script_name(english:"RHEL 5 : tcpdump (RHSA-2007:0368)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. * Tcpdump would not drop root privileges completely when launched with the -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-1218" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-3798" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0368" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arpwatch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0368"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"arpwatch-2.1a13-18.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"arpwatch-2.1a13-18.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"arpwatch-2.1a13-18.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"libpcap-0.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"libpcap-devel-0.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"tcpdump-3.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"tcpdump-3.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"tcpdump-3.9.4-11.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / libpcap-devel / tcpdump"); } }
NASL family Scientific Linux Local Security Checks NASL id SL_20071115_TCPDUMP_ON_SL4_X.NASL description Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump last seen 2020-06-01 modified 2020-06-02 plugin id 60310 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60310 title Scientific Linux Security Update : tcpdump on SL4.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60310); script_version("1.5"); script_cvs_date("Date: 2019/10/25 13:36:17"); script_cve_id("CVE-2007-1218", "CVE-2007-3798"); script_name(english:"Scientific Linux Security Update : tcpdump on SL4.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : - if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. - the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0711&L=scientific-linux-errata&T=0&P=4200 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?38b74fcf" ); script_set_attribute( attribute:"solution", value:"Update the affected arpwatch, libpcap and / or tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL4", reference:"arpwatch-2.1a13-12.el4")) flag++; if (rpm_check(release:"SL4", reference:"libpcap-0.8.3-12.el4")) flag++; if (rpm_check(release:"SL4", reference:"tcpdump-3.8.2-12.el4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-492-1.NASL description A flaw was discovered in the BGP dissector of tcpdump. Remote attackers could send specially crafted packets and execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28094 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28094 title Ubuntu 6.06 LTS / 6.10 / 7.04 : tcpdump vulnerability (USN-492-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-492-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(28094); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2007-3798"); script_bugtraq_id(24965); script_xref(name:"USN", value:"492-1"); script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 : tcpdump vulnerability (USN-492-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "A flaw was discovered in the BGP dissector of tcpdump. Remote attackers could send specially crafted packets and execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/492-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected tcpdump package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|6\.10|7\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"tcpdump", pkgver:"3.9.4-2ubuntu0.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"tcpdump", pkgver:"3.9.4-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"tcpdump", pkgver:"3.9.5-2ubuntu1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tcpdump"); }
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FF284BF03F3211DCA79A0016179B2DD5.NASL description The remote host is missing an update to the system The following package is affected: tcpdump This plugin is deprecated by plugin ID 25833, freebsd_pkg_ff284bf03f3211dca79a0016179b2dd5.nasl last seen 2016-09-26 modified 2015-12-02 plugin id 25814 published 2007-07-31 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25814 title FreeBSD : tcpdump -- remote integer underflow vulnerability (983) (deprecated) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0387.NASL description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump last seen 2020-06-01 modified 2020-06-02 plugin id 67051 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67051 title CentOS 4 : tcpdump (CESA-2007:0387) NASL family Fedora Local Security Checks NASL id FEDORA_2007-1361.NASL description New upstream release. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27711 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27711 title Fedora 7 : tcpdump-3.9.7-1.fc7 (2007-1361) NASL family SuSE Local Security Checks NASL id SUSE_TCPDUMP-4036.NASL description This update fixes a buffer overlow that could be triggered when displaying BGP packets (CVE-2007-3798). last seen 2020-06-01 modified 2020-06-02 plugin id 27466 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27466 title openSUSE 10 Security Update : tcpdump (tcpdump-4036) NASL family Scientific Linux Local Security Checks NASL id SL_20071109_TCPDUMP_ON_SL5_X.NASL description Problem description : Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump last seen 2020-06-01 modified 2020-06-02 plugin id 60299 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60299 title Scientific Linux Security Update : tcpdump on SL5.x i386/x86_64 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0387.NASL description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump last seen 2020-06-01 modified 2020-06-02 plugin id 28235 published 2007-11-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28235 title RHEL 4 : tcpdump (RHSA-2007:0387) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2007-230-01.NASL description New tcpdump packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0 to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25907 published 2007-08-21 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25907 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 9.0 / 9.1 : tcpdump (SSA:2007-230-01) NASL family SuSE Local Security Checks NASL id SUSE9_11696.NASL description A buffer overflow has been found in tcpdump which can be triggered while displaying BGP packets. This could be exploited by an attacker to execute malicious code under the privileges of the user running tcpdump by presenting specially prepared BGP packets to tcpdump. This issue is tracked by CVE-2007-3798. last seen 2020-06-01 modified 2020-06-02 plugin id 41144 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41144 title SuSE9 Security Update : tcpdump (YOU Patch Number 11696) NASL family SuSE Local Security Checks NASL id SUSE_TCPDUMP-4037.NASL description This update fixes a buffer overlow that could be triggered when displaying BGP packets. (CVE-2007-3798) last seen 2020-06-01 modified 2020-06-02 plugin id 29588 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29588 title SuSE 10 Security Update : tcpdump (ZYPP Patch Number 4037) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1353.NASL description It was discovered that an integer overflow in the BGP dissector of tcpdump, a powerful tool for network monitoring and data acquisition, may lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 25861 published 2007-08-13 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25861 title Debian DSA-1353-1 : tcpdump - integer overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-148.NASL description An integer overflow in tcpdump could allow a remote attacker to execute arbitrary code via crafted TLVs in a BGP packet. Updated packages have been patched to prevent this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25794 published 2007-07-27 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25794 title Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:148) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_2DC764FA40C011DCAEAC02E0185F8D72.NASL description An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances. Impact : By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces. Workaround : No workaround is available. last seen 2020-06-01 modified 2020-06-02 plugin id 25833 published 2007-08-02 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25833 title FreeBSD : FreeBSD -- Buffer overflow in tcpdump(1) (2dc764fa-40c0-11dc-aeac-02e0185f8d72) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200707-14.NASL description The remote host is affected by the vulnerability described in GLSA-200707-14 (tcpdump: Integer overflow) mu-b from Digital Labs discovered that the return value of a snprintf() call is not properly checked before being used. This could lead to an integer overflow. Impact : A remote attacker could send specially crafted BGP packets on a network being monitored with tcpdump, possibly resulting in the execution of arbitrary code with the privileges of the user running tcpdump, which is usually root. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25810 published 2007-07-30 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25810 title GLSA-200707-14 : tcpdump: Integer overflow
Oval
accepted | 2013-04-29T04:22:02.123-04:00 | ||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||
description | Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. | ||||||||||||||||||||||||
family | unix | ||||||||||||||||||||||||
id | oval:org.mitre.oval:def:9771 | ||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
title | Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. | ||||||||||||||||||||||||
version | 27 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Statements
contributor | Joshua Bressers |
lastmodified | 2007-07-31 |
organization | Red Hat |
statement | This issue does not affect the version of tcpdump shipped in Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250275 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
References
- http://bugs.gentoo.org/show_bug.cgi?id=184815
- http://bugs.gentoo.org/show_bug.cgi?id=184815
- http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12
- http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12
- http://docs.info.apple.com/article.html?artnum=307179
- http://docs.info.apple.com/article.html?artnum=307179
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://secunia.com/advisories/26135
- http://secunia.com/advisories/26135
- http://secunia.com/advisories/26168
- http://secunia.com/advisories/26168
- http://secunia.com/advisories/26223
- http://secunia.com/advisories/26223
- http://secunia.com/advisories/26231
- http://secunia.com/advisories/26231
- http://secunia.com/advisories/26263
- http://secunia.com/advisories/26263
- http://secunia.com/advisories/26266
- http://secunia.com/advisories/26266
- http://secunia.com/advisories/26286
- http://secunia.com/advisories/26286
- http://secunia.com/advisories/26395
- http://secunia.com/advisories/26395
- http://secunia.com/advisories/26404
- http://secunia.com/advisories/26404
- http://secunia.com/advisories/26521
- http://secunia.com/advisories/26521
- http://secunia.com/advisories/27580
- http://secunia.com/advisories/27580
- http://secunia.com/advisories/28136
- http://secunia.com/advisories/28136
- http://security.freebsd.org/advisories/FreeBSD-SA-07:06.tcpdump.asc
- http://security.freebsd.org/advisories/FreeBSD-SA-07:06.tcpdump.asc
- http://security.gentoo.org/glsa/glsa-200707-14.xml
- http://security.gentoo.org/glsa/glsa-200707-14.xml
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.449313
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.449313
- http://www.debian.org/security/2007/dsa-1353
- http://www.debian.org/security/2007/dsa-1353
- http://www.digit-labs.org/files/exploits/private/tcpdump-bgp.c
- http://www.digit-labs.org/files/exploits/private/tcpdump-bgp.c
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:148
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:148
- http://www.novell.com/linux/security/advisories/2007_16_sr.html
- http://www.novell.com/linux/security/advisories/2007_16_sr.html
- http://www.redhat.com/support/errata/RHSA-2007-0368.html
- http://www.redhat.com/support/errata/RHSA-2007-0368.html
- http://www.redhat.com/support/errata/RHSA-2007-0387.html
- http://www.redhat.com/support/errata/RHSA-2007-0387.html
- http://www.securityfocus.com/archive/1/474225/100/0/threaded
- http://www.securityfocus.com/archive/1/474225/100/0/threaded
- http://www.securityfocus.com/bid/24965
- http://www.securityfocus.com/bid/24965
- http://www.securitytracker.com/id?1018434
- http://www.securitytracker.com/id?1018434
- http://www.trustix.org/errata/2007/0023/
- http://www.trustix.org/errata/2007/0023/
- http://www.turbolinux.com/security/2007/TLSA-2007-46.txt
- http://www.turbolinux.com/security/2007/TLSA-2007-46.txt
- http://www.ubuntu.com/usn/usn-492-1
- http://www.ubuntu.com/usn/usn-492-1
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://www.vupen.com/english/advisories/2007/2578
- http://www.vupen.com/english/advisories/2007/2578
- http://www.vupen.com/english/advisories/2007/4238
- http://www.vupen.com/english/advisories/2007/4238
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9771
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9771