21 Jan Security Advisory – SOS-15-001 – tcpdump Memory Disclosure Vulnerability
Release Date: 21-Jan-2015
Last Update: –
Vendor Notification Date: 05-Jan-2015
Platform: Windows / *nix / Mac OSX
Affected versions: 4.1 – 4.6.2
Severity Rating: Medium
Impact: Memory disclosure
Out-of-bound read access
Denial of Service
Attack Vector: Local
Solution Status: Vendor update
CVE reference: CVE-2015-1037
tcpdump is a common command line packet analyser. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. When dissecting an ARCNet packet type, tcpdump uses the length announced in the PCAP in the ARCNet header to read and display the packet content mapped in memory, by calling the function hex_and_ascii_print_with_offset(). If the captured length is less than the length announced in the packet (which can be forged), the call to arcnet_if_print() function will dump memory content, eventually causing tcpdump to generate a segmentation fault crash if the pointer reaches an invalid address.
Please refer to the PDF version of this advisory for proof of concept code examples.
Update to tcpdump version 4.6.3.
Christophe Alladoum from Sense of Security Labs.