Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [ Hackerslab bug_paper ] Linux dump buffer overflow

From: super () UDEL EDU (Derek Callaway)
Date: Thu, 2 Mar 2000 15:48:05 -0500

On Fri, 3 Mar 2000, Eugene Teo wrote:


server running Redhat 6.1 doesn't seem to be vulnerable to this.  Like


Not true -- RedHat is vulnerable. The example given by KimYongJun shows an
overflow with only 556 characters. 556 bytes doesn't seem to overflow the
RedHat version of dump; it only produces a filename too long
error as you stated. This causes a Segmentation fault on my RedHat 6.1
machine:

[super@white super]$ rpm -qf /sbin/dump
dump-0.4b4-11
[super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'`
  DUMP: SIGSEGV: ABORTING!
Segmentation fault

According to
http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html,
dump-0.4b4-11 is the version of dump that is distributed with RedHat 6.1.
I believe this overflow is rather difficult to exploit, (although, not
impossible) as a result of a setuid(getuid()) before the offending code
and the signal handler for SIGSEGV.

<snip>

--
/* Derek Callaway <super () udel edu> char *sites[]={"http://www.geekwise.com";,
   Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc";,
   (302) 837-8769           "http://www.homeworkhelp.org",0};  S@IRC  */
Previous By Date Next
Previous By Thread Next

Current thread: