On Fri, 3 Mar 2000, Eugene Teo wrote:
> server running Redhat 6.1 doesn't seem to be vulnerable to this. Like
Not true -- RedHat is vulnerable. The example given by KimYongJun shows an
overflow with only 556 characters. 556 bytes doesn't seem to overflow the
RedHat version of dump; it only produces a filename too long
error as you stated. This causes a Segmentation fault on my RedHat 6.1
machine:
[super@white super]$ rpm -qf /sbin/dump
dump-0.4b4-11
[super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'`
DUMP: SIGSEGV: ABORTING!
Segmentation fault
According to
http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html,
dump-0.4b4-11 is the version of dump that is distributed with RedHat 6.1.
I believe this overflow is rather difficult to exploit, (although, not
impossible) as a result of a setuid(getuid()) before the offending code
and the signal handler for SIGSEGV.
<snip>
--
/* Derek Callaway <[EMAIL PROTECTED]> char *sites[]={"http://www.geekwise.com",
Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
(302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */
