server running Redhat 6.1 doesn't seem to be vulnerable to this. Like NetBSD, It just returns a filename too long error. anyhow, i remove the suid bit from dump. -- Eugene Teo - http://www.eugeneteo.net - http://linux.com.sg Email: eugeneteoat_private, eugeneteoat_private ----- Original Message ----- From: ±è¿ëÁØ KimYongJun (99Á¹¾÷) <s96192at_private> To: <BUGTRAQat_private> Sent: Monday, February 28, 2000 2:17 PM Subject: [ Hackerslab bug_paper ] Linux dump buffer overflow > [ Hackerslab bug_paper ] Linux dump buffer overflow > > > File : /sbin/dump > > SYSTEM : Linux > > > INFO : > > > The problem occurs when it gets the argument. > It accepts the argument without checking out its length, and this causes the problem. > > It seems that this vulnerability also applies to RedHat Linux 6.2beta, > the latest version. > > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'` > DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000 > DUMP: Date of last level dump: the epoch > DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem > DUMP: SIGSEGV: ABORTING! > Segmentation fault > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'` > DUMP: SIGSEGV: ABORTING! > Segmentation fault <= occur ctime4() > > > How to fix > ---------- > > patch : > > [root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c dump-0.4b13/dump/main.c > --- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000 > +++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000 > @@ -273,6 +273,9 @@ > exit(X_STARTUP); > } > disk = *argv++; > + if ( strlen(disk) > 255 ) > + exit(X_STARTUP); > + > argc--; > if (argc >= 1) { > (void)fprintf(stderr, "Unknown arguments to dump:"); > > > > hot fix : > it is recommended that the suid bit is > removed from dump using command : > > chmod a-s /sbin/dump > > > > > - Yong-jun, Kim - > e - mail : loveyouat_private s96192at_private > homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:41 PDT