Login Sign Up

CVE-2014-5439

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on systems running vulnerable versions of Sniffit network sniffer. By crafting a malicious configuration file, attackers can bypass multiple security protections (NX, SSP, ASLR) and gain root shell access. Anyone using Sniffit versions prior to 0.3.7 is affected.

💻 Affected Systems

Products:
  • Sniffit
Versions: All versions prior to 0.3.7
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Requires ability to create or modify Sniffit configuration files. Typically exploited by local users.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Sniffit by Sniffit Project

View all CVEs affecting Sniffit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation to root shell for authenticated users who can write configuration files.

🟢

If Mitigated

Denial of service or limited information disclosure if exploit fails.

🌐 Internet-Facing: LOW - Sniffit is typically not exposed to internet-facing interfaces.
🏢 Internal Only: HIGH - Internal attackers with user access can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access to create malicious configuration file. Public exploit code available since 2014.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.7 and later

Vendor Advisory: No official vendor advisory found - Sniffit is open source.

Restart Required: No

Instructions:

1. Download Sniffit 0.3.7 or later from official source. 2. Compile and install new version. 3. Remove old vulnerable version.

🔧 Temporary Workarounds

Remove Sniffit

linux

Uninstall Sniffit if not required

sudo apt-get remove sniffit
sudo yum remove sniffit
sudo make uninstall (if compiled from source)

Restrict configuration file permissions

linux

Limit who can create/modify Sniffit configuration files

sudo chmod 600 /etc/sniffit.conf
sudo chown root:root /etc/sniffit.conf

🧯 If You Can't Patch

  • Remove Sniffit from production systems entirely
  • Implement strict access controls on configuration files and directories

🔍 How to Verify

Check if Vulnerable:

Check Sniffit version: sniffit -v or which sniffit && ls -la /usr/bin/sniffit

Check Version:

sniffit -v 2>/dev/null || echo 'Sniffit not installed'

Verify Fix Applied:

Verify version is 0.3.7 or higher: sniffit -v | grep -E '0\.3\.[7-9]|[0-9]\.[4-9]'

📡 Detection & Monitoring

Log Indicators:

  • Unusual configuration file modifications
  • Sniffit process spawning shell processes
  • Failed privilege escalation attempts

Network Indicators:

  • Unexpected network sniffing activity
  • Outbound connections from Sniffit process

SIEM Query:

process_name:sniffit AND (parent_process:bash OR cmdline:*sh*)

📊 Metadata

CVE ID: CVE-2014-5439
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: November 19, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-5439, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)