On FreeBSD dump has the same hole i describes in my previous post. Only it is
exploitable :-)
Dump with kerberos has __atexit and __cleanup after all the other variables on the
heap. By overwriting these variables you can start your shellcode.
Most of the credits should go to zen-parse who foun
i checked RedHat's 5.2 dump (dump-0.3) and it doesn't seem vunerable in an exploitable
way.
There's a minor heap-overflow though:
snipped from optr.c
msg(const char *fmt, ...)
{
...
va_start(ap, fmt);
#else
va_start(ap);
#endif
(void) vfprintf(stderr, fmt, ap