-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: tcpflow 0.2.0 Format String Vulnerability
 Release Date: 08/07/2003
  Application: tcpflow
     Platform: UNIX
     Severity: High or None (See Below)
       Author: Dave G. <daveg@atstake.com>
Vendor Status: Vendor has fixed version
CVE Candidate: CAN-2003-0671
    Reference: www.atstake.com/research/advisories/2003/a080703-2.txt


Overview:

tcpflow is a network monitoring tool that records TCP sessions in an
easy to use and view manner.  This tool contains a format string
vulnerability that is typically unexploitable.  However, there has
been at least a couple of network management tools (IPNetMonitorX and
IPNetSentryX) that allowed for this vulnerability to be successfully
exploited.  

- - -IMPORTANT NOTE-

This advisory is being released to inform other developers that may
rely on this tool, and to serve as an addendum to the @stake advisory
entitled: "Sustworks Unauthorized Network Monitoring and tcpflow
Format String Attack."

       
Details:

tcpflow contains an exploitable format string vulnerability during
the opening of a device via libpcap.  This code snippet is from the
current version of tcpflow:

- - From tcpflow:main.c
- - -------------------
    /* make sure we can open the device */
    if ((pd = pcap_open_live(device, SNAPLEN, !no_promisc, 1000,
       error)) == NULL)
      die(error);

    /* drop root privileges - we don't need them any more */
    setuid(getuid());

As we can see, if the call to pcap_open_live() fails, the error
message will be passed to an error handling and cleanup function
called die().  This happens just before privileges are dropped by the
application.  Looking at the code snippets below, we can see that
this error message will get passed as the format string to the
vfprintf() call inside of print_debug_message().  Since the device
name is included as part of the libpcap error, and device is
specified by the user, an attacker can input format specifiers into
vfprintf().

- - From tcpflow:util.c
- - ------------------- void die(char *fmt, ...)
{
  va_list ap;

  va_start(ap, fmt);
  print_debug_message(fmt, ap);
  exit(1);
}

/*
 * Print a debugging message, given a va_list
 */
void print_debug_message(char *fmt, va_list ap)
{
  /* print debug prefix */
  fprintf(stderr, "%s: ", debug_prefix);

  /* print the var-arg buffer passed to us */
  vfprintf(stderr, fmt, ap);    

  /* add newline */
  fprintf(stderr, "\n");
  (void) fflush(stderr);
}

To test if your version of tcpflow is vulnerable, simply execute
tcpflow as root with the command line argument of -i %x%x%x%x%x%x.
If the tcpflow error message contains a large hexadecimal string,
your version is vulnerable.  

For example:

bash-2.05a$ sudo bash
bash-2.05a# tcpflow -i %x%x%x%x%x%x
tcpflow[1195]: BIOCSETIF: 1a45017646365206e1a010365c: Device not
 configured

 
Vendor Response:

There is an updated version of tcpflow available from
http://www.circlemud.org/~jelson/software/tcpflow.


Recommendation:

Upgrade tcpflow and ensure that it is not setuid root.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0671 tcpflow format string vulnerability through
                RunTCPFlow

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzK7SEe9kNIfAm4yEQLIQgCg2FsuanlbSV/45hkgxBOE8GvKOlsAoKQt
TgybHf+i2Zo041zjMRMEOZCx
=B4H2
-----END PGP SIGNATURE-----