RedHatLinuxdump Buffer Overflow Vulnerability

Article Title: RedHatLinuxdump Buffer Overflow Vulnerability. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Affected Systems:

MandrakeSoft Linux Mandrake 7.0

MandrakeSoft Linux Mandrake 6.1

RedHat in Linux 6.2

RedHat in Linux 6.1

RedHat in Linux 6.0

RedHat in Linux 5.2

RedHat in Linux 5.1

Unaffected system:

NetBSD-current

Description:

In RedHat Linux, there is a file backup tool "dump". It is installed under/sbin and configured

Setuid/setgid root bit. When a long string is sent to the "-f a" parameter, dump will

Stack Overflow. If the provided parameters are carefully constructed, attackers may replace the EIP stored in the stack.

(Command pointer or return address) and execute any code with the gid root permission. Dump will

The setuid root permission is discarded, but the setgid root permission is not discarded. Therefore, attackers may exploit this vulnerability.

Vulnerabilities may obtain the setgid root permission, which in turn may gain control over the entire system.

<* Source:-Yong-jun, Kim-

E-mail: loveyou@hackerslab.org s96192@ce.hannam.ac.kr

Homepage: http://www.hackerslab.org http://ce.hannam.ac.kr /~ S96192

*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

[Loveyou @ loveyou SOURCES] $ dump-f a 'perl-e' print "x" x 556''

DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000

DUMP: Date of last level dump: the epoch

DUMP: Dumping failed to

Flood

DUMP: SIGSEGV: ABORTING!

Segmentation fault

[Loveyou @ loveyou SOURCES] $ dump-f a 'perl-e' print "loveyou" x 556''

DUMP: SIGSEGV: ABORTING!

Segmentation fault <= occur ctime4 ()

Suggestion:

Yong-jun, Kim provides a patch:

[Root @ loveyou SOURCES] # diff-ru dump-0.4b13/dump/main_orig.c dump-0.4b13/dump/main. c

--- Dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000

++ Dump-0.4b13/dump/main. c Mon Feb 28 14:40:57 2000

@-273,6 + 273,9 @@

Exit (X_STARTUP );

}

Disk = * argv ++;

+ If (strlen (disk)> 255)

+ Exit (X_STARTUP );

+

Argc --;

If (argc> = 1 ){

(Void) fprintf (stderr, "Unknown arguments to dump :");

Temporary solution:

Remove the suid bit of dump: chmod a-s/sbin/dump