[14159] in bugtraq
Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
daemon@ATHENA.MIT.EDU (Derek Callaway)
Fri Mar 3 15:53:26 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10003021534400.5417-100000@pager.ce.net>
Date: Thu, 2 Mar 2000 15:48:05 -0500
Reply-To: Derek Callaway <super@UDEL.EDU>
From: Derek Callaway <super@UDEL.EDU>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01d501bf8462$cca09280$199215a5@eugenteo>
On Fri, 3 Mar 2000, Eugene Teo wrote:
> server running Redhat 6.1 doesn't seem to be vulnerable to this. Like
Not true -- RedHat is vulnerable. The example given by KimYongJun shows an
overflow with only 556 characters. 556 bytes doesn't seem to overflow the
RedHat version of dump; it only produces a filename too long
error as you stated. This causes a Segmentation fault on my RedHat 6.1
machine:
[super@white super]$ rpm -qf /sbin/dump
dump-0.4b4-11
[super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'`
DUMP: SIGSEGV: ABORTING!
Segmentation fault
According to
http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html,
dump-0.4b4-11 is the version of dump that is distributed with RedHat 6.1.
I believe this overflow is rather difficult to exploit, (although, not
impossible) as a result of a setuid(getuid()) before the offending code
and the signal handler for SIGSEGV.
<snip>
--
/* Derek Callaway <super@udel.edu> char *sites[]={"http://www.geekwise.com",
Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
(302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */
