[14128] in bugtraq
Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
daemon@ATHENA.MIT.EDU (H D Moore)
Wed Mar 1 21:58:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id: <38BC8725.99447F91@secureaustin.com>
Date: Tue, 29 Feb 2000 20:57:41 -0600
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: "=?iso-8859-1?Q?=B1=E8=BF=EB=C1=D8?= KimYongJun
(=?iso-8859-1?Q?99=C1=B9=BE=F7?=)" <s96192@CE.HANNAM.AC.KR>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Hi,
Confirmed this on SuSE 6.2. The magic number of bytes is 347. Dump is
not su/gid so this seems to be more of an annoyance than a security
issue for SuSE boxen (not sure of others).
-HD
"±è¿ëÁØ KimYongJun (99Á¹¾÷)" wrote:
>
> [ Hackerslab bug_paper ] Linux dump buffer overflow
>
> File : /sbin/dump
>
> SYSTEM : Linux
>
> INFO :
>
> The problem occurs when it gets the argument.
> It accepts the argument without checking out its length, and this causes the problem.
>
> It seems that this vulnerability also applies to RedHat Linux 6.2beta,
> the latest version.
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
> DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
> DUMP: Date of last level dump: the epoch
> DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'`
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault <= occur ctime4()
>
