Security risk associated with a NIC's promiscuous mode?

David Kirchner dpk at dpk.net
Fri Oct 7 08:58:50 PDT 2005


On 10/7/05, Chuck Swiger <cswiger at mac.com> wrote:
> A mild one.  For example, I believe there was recently a security bug in
> tcpdump's string handling which could be exploited by tcpdump seeing a
> maliciously-crafted packet.  Running the NIC in promisc mode means that packet
> just has to go by, rather than being sent specificly to the machine running the
> sniffer...
>
> In other words, it's not a great idea to run a sniffer on your most important
> fileserver or whatever, rather than an isolated laptop or other test system.

You can also change the ownership of the bpf0 entry in /dev to
something other than root, and run tcpdump as that user. Obviously you
would want to secure that account so it can only be accessed by you,
and you may even want to change ownership to that user only when you
want to sniff, changing it back to root when done.

In any case, this would mitigate the risk in case a tcpdump/libpcap
vulnerability is discovered.

I wouldn't do this if it was for a daemon or a cron, though, since
they would perform dumps at specific (IE predictable) times of day.


More information about the freebsd-questions mailing list