ID CVE-2007-1218
Summary Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.
References
Vulnerable Configurations
  • cpe:2.3:a:tcpdump:tcpdump:3.9.5
    cpe:2.3:a:tcpdump:tcpdump:3.9.5
CVSS
Base: 6.8 (as of 06-03-2007 - 13:39)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0387.NASL
    description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. * the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67051
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67051
    title CentOS 4 : tcpdump (CESA-2007:0387)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-056.NASL
    description Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Updated packages have been patched to address this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24806
    published 2007-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24806
    title Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:056)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-009.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 29723
    published 2007-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29723
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-009)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-348.NASL
    description - Thu Mar 15 2007 Miroslav Lichvar - 14:3.9.4-4.fc5 - fix buffer overflow in 802.11 printer (#232349, CVE-2007-1218) - require /usr/sbin/sendmail (#232363) - Wed Nov 8 2006 Miroslav Lichvar - 14:3.9.4-3.fc5 - fix processing of Prism and AVS headers (#207435) - fix arp2ethers script - update ethercodes.dat Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24837
    published 2007-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24837
    title Fedora Core 5 : tcpdump-3.9.4-4.fc5 (2007-348)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-429-1.NASL
    description Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28023
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28023
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : tcpdump vulnerability (USN-429-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0368.NASL
    description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. * Tcpdump would not drop root privileges completely when launched with the -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 27828
    published 2007-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27828
    title RHEL 5 : tcpdump (RHSA-2007:0368)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1272.NASL
    description Moritz Jodeit discovered an off-by-one buffer overflow in tcpdump, a powerful tool for network monitoring and data acquisition, which allows denial of service.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 24881
    published 2007-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24881
    title Debian DSA-1272-1 : tcpdump - buffer overflow
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-347.NASL
    description - Thu Mar 15 2007 Miroslav Lichvar - 14:3.9.4-10.fc6 - fix buffer overflow in 802.11 printer (#232349, CVE-2007-1218) - require /usr/sbin/sendmail (#232363) - Fri Nov 17 2006 Miroslav Lichvar - 14:3.9.4-9 - fix processing of Prism and AVS headers (#206686) - fix arp2ethers script - update ethercodes.dat - move pcap man page to devel package Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24836
    published 2007-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24836
    title Fedora Core 6 : tcpdump-3.9.4-10.fc6 (2007-347)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-155.NASL
    description Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. Updated packages have been patched to prevent this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36699
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36699
    title Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:155)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0387.NASL
    description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. * the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 28235
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28235
    title RHEL 4 : tcpdump (RHSA-2007:0387)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071115_TCPDUMP_ON_SL4_X.NASL
    description Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : - if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. - the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60310
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60310
    title Scientific Linux Security Update : tcpdump on SL4.x i386/x86_64
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071109_TCPDUMP_ON_SL5_X.NASL
    description Problem description : Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : - The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. - Tcpdump would not drop root privileges completely when launched with the - -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60299
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60299
    title Scientific Linux Security Update : tcpdump on SL5.x i386/x86_64
oval via4
accepted 2013-04-29T04:19:57.436-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.
family unix
id oval:org.mitre.oval:def:9520
status accepted
submitted 2010-07-09T03:56:16-04:00
title Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2007:0368
  • rhsa
    id RHSA-2007:0387
rpms
  • arpwatch-14:2.1a13-18.el5
  • libpcap-14:0.9.4-11.el5
  • libpcap-devel-14:0.9.4-11.el5
  • tcpdump-14:3.9.4-11.el5
  • arpwatch-14:2.1a13-12.el4
  • libpcap-14:0.8.3-12.el4
  • tcpdump-14:3.8.2-12.el4
refmap via4
apple APPLE-SA-2007-12-17
bid 22772
cert TA07-352A
confirm
debian DSA-1272
fedora
  • FEDORA-2007-347
  • FEDORA-2007-348
fulldisc 20070301 tcpdump: off-by-one heap overflow in 802.11 printer
mandriva
  • MDKSA-2007:056
  • MDKSA-2007:155
misc
osvdb 32427
sectrack 1017717
secunia
  • 24318
  • 24354
  • 24423
  • 24451
  • 24583
  • 24610
  • 27580
  • 28136
turbo TLSA-2007-46
ubuntu USN-429-1
vupen
  • ADV-2007-0793
  • ADV-2007-4238
xf tcpdump-print80211c-bo(32749)
statements via4
contributor Mark J Cox
lastmodified 2007-05-11
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 07-03-2011 - 21:51
Published 02-03-2007 - 16:18
Last modified 10-10-2017 - 21:31
Back to Top