/sbin/dump on Linux is vulnerable to a local buffer overflow attack. Patch included.
70030d318162971da001a74c6ed300e763603b26a92fc3f781f8b5bac7a5d77b
[ Hackerslab bug_paper ] Linux dump buffer overflow
File : /sbin/dump
SYSTEM : Linux
INFO :
The problem occurs when it gets the argument.
It accepts the argument without checking out its length, and this causes =
the problem.
It seems that this vulnerability also applies to RedHat Linux 6.2beta,
the latest version.
[loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
DUMP: Date of last level dump: the epoch
DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: =C6=C4=C0=CF =C0=CC=B8=
=A7=C0=CC =B3=CA=B9=AB =B1=E9=B4=CF=B4=D9 while opening filesystem
DUMP: SIGSEGV: ABORTING!
Segmentation fault
[loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'`
DUMP: SIGSEGV: ABORTING!
Segmentation fault <=3D occur ctime4()
How to fix
----------
patch :
[root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c dump-0.4b13=
/dump/main.c
--- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000
+++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000
@@ -273,6 +273,9 @@
exit(X_STARTUP);
}
disk =3D *argv++;
+ if ( strlen(disk) > 255 )
+ exit(X_STARTUP);
+
argc--;
if (argc >=3D 1) {
(void)fprintf(stderr, "Unknown arguments to dump:");
hot fix :
it is recommended that the suid bit is
removed from dump using command :
chmod a-s /sbin/dump
- Yong-jun, Kim -
e - mail : loveyou@hackerslab.org s96192@ce.hannam.ac.kr
homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192