On Fri, 3 Mar 2000, Eugene Teo wrote: > server running Redhat 6.1 doesn't seem to be vulnerable to this. Like Not true -- RedHat is vulnerable. The example given by KimYongJun shows an overflow with only 556 characters. 556 bytes doesn't seem to overflow the RedHat version of dump; it only produces a filename too long error as you stated. This causes a Segmentation fault on my RedHat 6.1 machine: [super@white super]$ rpm -qf /sbin/dump dump-0.4b4-11 [super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'` DUMP: SIGSEGV: ABORTING! Segmentation fault According to http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html, dump-0.4b4-11 is the version of dump that is distributed with RedHat 6.1. I believe this overflow is rather difficult to exploit, (although, not impossible) as a result of a setuid(getuid()) before the offending code and the signal handler for SIGSEGV. <snip> -- /* Derek Callaway <superat_private> char *sites[]={"http://www.geekwise.com", Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc", (302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:48 PDT