superUDEL.EDU

• Next message: Viktor Fougstedt: "Potential security problem with mtr"
• Previous message: Mikael Olsson: "Re: Addendum to Firewall-1 FTP Server Vulnerability"
• Next in thread: Ronald Huizer: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
• Reply: Przemyslaw Frasunek: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 3 Mar 2000, Eugene Teo wrote:

> server running Redhat 6.1 doesn't seem to be vulnerable to this. Like

Not true -- RedHat is vulnerable. The example given by KimYongJun shows an
overflow with only 556 characters. 556 bytes doesn't seem to overflow the
RedHat version of dump; it only produces a filename too long
error as you stated. This causes a Segmentation fault on my RedHat 6.1
machine:

[superwhite super]$ rpm -qf /sbin/dump
dump-0.4b4-11
[superwhite super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'`
  DUMP: SIGSEGV: ABORTING!
Segmentation fault

According to
http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html,
dump-0.4b4-11 is the version of dump that is distributed with RedHat 6.1.
I believe this overflow is rather difficult to exploit, (although, not
impossible) as a result of a setuid(getuid()) before the offending code
and the signal handler for SIGSEGV.

<snip>

--
/* Derek Callaway <superudel.edu> char *sites[]={"http://www.geekwise.com",
   Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 837-8769           "http://www.homeworkhelp.org",0};  SIRC  */

• Next message: Viktor Fougstedt: "Potential security problem with mtr"
• Previous message: Mikael Olsson: "Re: Addendum to Firewall-1 FTP Server Vulnerability"
• Next in thread: Ronald Huizer: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
• Reply: Przemyslaw Frasunek: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]