[14141] in bugtraq
Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
daemon@ATHENA.MIT.EDU (Eugene Teo)
Thu Mar 2 14:26:59 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <01d501bf8462$cca09280$199215a5@eugenteo>
Date: Fri, 3 Mar 2000 00:16:45 +0800
Reply-To: Eugene Teo <eugeneteo@EUGENETEO.NET>
From: Eugene Teo <eugeneteo@EUGENETEO.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
server running Redhat 6.1 doesn't seem to be vulnerable to this. Like
NetBSD, It just returns a filename too long error.
anyhow, i remove the suid bit from dump.
--
Eugene Teo - http://www.eugeneteo.net - http://linux.com.sg
Email: eugeneteo@eugeneteo.net, eugeneteo@linux.com.sg
----- Original Message -----
From: 1h?kAX KimYongJun (99A9>w) <s96192@CE.HANNAM.AC.KR>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, February 28, 2000 2:17 PM
Subject: [ Hackerslab bug_paper ] Linux dump buffer overflow
> [ Hackerslab bug_paper ] Linux dump buffer overflow
>
>
> File : /sbin/dump
>
> SYSTEM : Linux
>
>
> INFO :
>
>
> The problem occurs when it gets the argument.
> It accepts the argument without checking out its length, and this causes
the problem.
>
> It seems that this vulnerability also applies to RedHat Linux 6.2beta,
> the latest version.
>
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
> DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
> DUMP: Date of last level dump: the epoch
> DUMP: Dumping
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FD@O @L8'@L 3J9+ 1i4O4Y
while opening filesystem
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'`
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault <= occur ctime4()
>
>
> How to fix
> ----------
>
> patch :
>
> [root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c
dump-0.4b13/dump/main.c
> --- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000
> +++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000
> @@ -273,6 +273,9 @@
> exit(X_STARTUP);
> }
> disk = *argv++;
> + if ( strlen(disk) > 255 )
> + exit(X_STARTUP);
> +
> argc--;
> if (argc >= 1) {
> (void)fprintf(stderr, "Unknown arguments to dump:");
>
>
>
> hot fix :
> it is recommended that the suid bit is
> removed from dump using command :
>
> chmod a-s /sbin/dump
>
>
>
>
> - Yong-jun, Kim -
> e - mail : loveyou@hackerslab.org s96192@ce.hannam.ac.kr
> homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192
