4850594 2000-03-01 01:10 /75 rader/ Postmaster
Mottagare: Bugtraq (import) <10018>
Ärende: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Message-ID: <200002280617.PAA13373@ce.hannam.ac.kr>
Date: Mon, 28 Feb 2000 15:17:33 +0900
Reply-To: "±è¿ëÁØ KimYongJun (99Á¹¾÷)" <s96192@CE.HANNAM.AC.KR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "±è¿ëÁØ KimYongJun (99Á¹¾÷)" <s96192@CE.HANNAM.AC.KR>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
[ Hackerslab bug_paper ] Linux dump buffer overflow
File : /sbin/dump
SYSTEM : Linux
INFO :
The problem occurs when it gets the argument. It accepts the
argument without checking out its length, and this causes the problem.
It seems that this vulnerability also applies to RedHat Linux 6.2beta,
the latest version.
[loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
DUMP: Date of last level dump: the epoch
DUMP: Dumping
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
to a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem
DUMP: SIGSEGV: ABORTING!
Segmentation fault
[loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x
556'`
DUMP: SIGSEGV: ABORTING!
Segmentation fault <= occur ctime4()
How to fix
----------
patch :
[root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c
dump-0.4b13/dump/main.c
--- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000
+++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000
@@ -273,6 +273,9 @@
exit(X_STARTUP);
}
disk = *argv++;
+ if ( strlen(disk) > 255 )
+ exit(X_STARTUP);
+
argc--;
if (argc >= 1) {
(void)fprintf(stderr, "Unknown arguments to dump:");
hot fix :
it is recommended that the suid bit is
removed from dump using command :
chmod a-s /sbin/dump
- Yong-jun, Kim -
e - mail : loveyou@hackerslab.org s96192@ce.hannam.ac.kr
homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192
(4850594) ------------------------------------------(Ombruten)
4854430 2000-03-02 03:45 /73 rader/ Postmaster
Mottagare: Bugtraq (import) <10065>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
X-Sender: super@pager.ce.net
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Message-ID: <Pine.LNX.4.10.10003010957570.3511-100000@pager.ce.net>
Date: Wed, 1 Mar 2000 09:58:16 -0500
Reply-To: Derek Callaway <super@UDEL.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Derek Callaway <super@UDEL.EDU>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by samantha.lysator.liu.se id DAA23376
On Mon, 28 Feb 2000, ±è¿ëÁØ KimYongJun (99Á¹¾÷) wrote:
> [ Hackerslab bug_paper ] Linux dump buffer overflow
<snip>
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
> DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
> DUMP: Date of last level dump: the epoch
> DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault
>
<snip>
Could this be a problem with glibc, as well?
[super@white dump]$ pwd
/usr/src/redhat/SOURCES/dump-0.4b4/dump
[super@white dump]$ echo -e "ru -0 `perl -e 'print "A"x5000;'`\nbt" | gdb
dump
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) Starting program: /usr/src/redhat/SOURCES/dump-0.4b4/dump/dump -0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<snipped long string>
---Type <return> to continue, or q <return> to quit---Program received
signal SIGSEGV, Segmentation fault.
getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88
88 ../sysdeps/generic/getenv.c: No such file or directory.
(gdb) #0 getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88
#1 0x400b3f4a in tzset_internal (always=1094795585) at tzset.c:144
#2 0x400b4ceb in __tz_convert (timer=0xbfffd790, use_localtime=1,
tp=0x4011e4e0) at tzset.c:575
#3 0x400b08bc in localtime (t=0xbfffd790) at localtime.c:43
#4 0x400b07f8 in ctime (t=0xbfffd790) at ctime.c:32
#5 0x804adde in main (argc=1094795585, argv=0x41414141) at main.c:355
(gdb) [super@white dump]$
From this gdb session, it appears that there _could_ be a problem with
the way that glibc's time functions behave.
--
/* Derek Callaway <super@udel.edu> char *sites[]={"http://www.geekwise.com",
Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
(302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */
(4854430) ------------------------------------------
4854508 2000-03-02 05:43 /54 rader/ Postmaster
Mottagare: Bugtraq (import) <10073>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-ID: <38BC8725.99447F91@secureaustin.com>
Date: Tue, 29 Feb 2000 20:57:41 -0600
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: "=?iso-8859-1?Q?=B1=E8=BF=EB=C1=D8?= KimYongJu
(=?iso-8859-1?Q?99=C1=B9=BE=F7?=)" <s96192@CE.HANNAM.AC.KR>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id FAA26676
Hi,
Confirmed this on SuSE 6.2. The magic number of bytes is 347. Dump
is not su/gid so this seems to be more of an annoyance than a
security issue for SuSE boxen (not sure of others).
-HD
"±è¿ëÁØ KimYongJun (99Á¹¾÷)" wrote:
>
> [ Hackerslab bug_paper ] Linux dump buffer overflow
>
> File : /sbin/dump
>
> SYSTEM : Linux
>
> INFO :
>
> The problem occurs when it gets the argument.
> It accepts the argument without checking out its length, and this causes the problem.
>
> It seems that this vulnerability also applies to RedHat Linux 6.2beta,
> the latest version.
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
> DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
> DUMP: Date of last level dump: the epoch
> DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'`
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault <= occur ctime4()
>
(4854508) ------------------------------------------(Ombruten)
4857524 2000-03-02 19:37 /27 rader/ Postmaster
Mottagare: Bugtraq (import) <10083>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.21.0003012332100.21759-100000@vellocet.insync.net>
Date: Wed, 1 Mar 2000 23:34:12 -0600
Reply-To: Joe Shaw <jshaw@INSYNC.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Joe Shaw <jshaw@INSYNC.NET>
X-To: Brett Lymn <blymn@BAEA.COM.AU>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200003010038.LAA09130@mallee.awadi>
This is the same behavior as all my OpenBSD 2.6-Release boxes.
/sbin/dump is also not SUID/SGID on these systems by default.
--
Joseph W. Shaw - jshaw@insync.net
Free UNIX advocate - "I hack, therefore I am."
On Wed, 1 Mar 2000, Brett Lymn wrote:
> NetBSD-current, at least, is not vulnerable to this. It just returns
> a filename too long error. I do not have a release version of NetBSD
> to try this on at the moment.
(4857524) ------------------------------------------(Ombruten)
4857616 2000-03-02 20:23 /31 rader/ Postmaster
Mottagare: Bugtraq (import) <10086>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Message-ID: <XFMail.20000302065007.venglin@freebsd.lublin.pl>
Date: Thu, 2 Mar 2000 06:50:07 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Organization: Lublin BSD Users Group (www.freebsd.lublin.pl)
X-To: Derek Callaway <super@UDEL.EDU>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10003010957570.3511-100000@pager.ce.net>
On 01-Mar-2000 Derek Callaway wrote:
> (gdb) #0 getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88
>>From this gdb session, it appears that there _could_ be a problem with
> the way that glibc's time functions behave.
No. getenv() fails because *envp, argc, **argv are AFTER pathname[]
buffer and gets overwritten.
Of course, it is still exploitable.
-- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL:
PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP:
D48684904685DF43 EA93AFA13BE170BF *
(4857616) ------------------------------------------(Ombruten)
4857705 2000-03-02 21:13 /105 rader/ Postmaster
Mottagare: Bugtraq (import) <10088>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Message-ID: <01d501bf8462$cca09280$199215a5@eugenteo>
Date: Fri, 3 Mar 2000 00:16:45 +0800
Reply-To: Eugene Teo <eugeneteo@EUGENETEO.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Eugene Teo <eugeneteo@EUGENETEO.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
server running Redhat 6.1 doesn't seem to be vulnerable to this. Like
NetBSD, It just returns a filename too long error.
anyhow, i remove the suid bit from dump.
--
Eugene Teo - http://www.eugeneteo.net - http://linux.com.sg
Email: eugeneteo@eugeneteo.net, eugeneteo@linux.com.sg
----- Original Message -----
From: ±è¿ëÁØ KimYongJun (99Á¹¾÷) <s96192@CE.HANNAM.AC.KR>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, February 28, 2000 2:17 PM
Subject: [ Hackerslab bug_paper ] Linux dump buffer overflow
> [ Hackerslab bug_paper ] Linux dump buffer overflow
>
>
> File : /sbin/dump
>
> SYSTEM : Linux
>
>
> INFO :
>
>
> The problem occurs when it gets the argument.
> It accepts the argument without checking out its length, and this causes
the problem.
>
> It seems that this vulnerability also applies to RedHat Linux 6.2beta,
> the latest version.
>
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'`
> DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
> DUMP: Date of last level dump: the epoch
> DUMP: Dumping
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù
while opening filesystem
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault
>
> [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'`
> DUMP: SIGSEGV: ABORTING!
> Segmentation fault <= occur ctime4()
>
>
> How to fix
> ----------
>
> patch :
>
> [root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c
dump-0.4b13/dump/main.c
> --- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000
> +++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000
> @@ -273,6 +273,9 @@
> exit(X_STARTUP);
> }
> disk = *argv++;
> + if ( strlen(disk) > 255 )
> + exit(X_STARTUP);
> +
> argc--;
> if (argc >= 1) {
> (void)fprintf(stderr, "Unknown arguments to dump:");
>
>
>
> hot fix :
> it is recommended that the suid bit is
> removed from dump using command :
>
> chmod a-s /sbin/dump
>
>
>
>
> - Yong-jun, Kim -
> e - mail : loveyou@hackerslab.org s96192@ce.hannam.ac.kr
> homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192
(4857705) ------------------------------------------
4861201 2000-03-03 21:09 /44 rader/ Postmaster
Mottagare: Bugtraq (import) <10101>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
X-Sender: super@pager.ce.net
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10003021534400.5417-100000@pager.ce.net>
Date: Thu, 2 Mar 2000 15:48:05 -0500
Reply-To: Derek Callaway <super@UDEL.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Derek Callaway <super@UDEL.EDU>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01d501bf8462$cca09280$199215a5@eugenteo>
On Fri, 3 Mar 2000, Eugene Teo wrote:
> server running Redhat 6.1 doesn't seem to be vulnerable to this. Like
Not true -- RedHat is vulnerable. The example given by KimYongJun
shows an overflow with only 556 characters. 556 bytes doesn't seem to
overflow the RedHat version of dump; it only produces a filename too
long error as you stated. This causes a Segmentation fault on my
RedHat 6.1 machine:
[super@white super]$ rpm -qf /sbin/dump
dump-0.4b4-11
[super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'`
DUMP: SIGSEGV: ABORTING!
Segmentation fault
According to
http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html,
dump-0.4b4-11 is the version of dump that is distributed with RedHat
6.1. I believe this overflow is rather difficult to exploit,
(although, not impossible) as a result of a setuid(getuid()) before
the offending code and the signal handler for SIGSEGV.
<snip>
--
/* Derek Callaway <super@udel.edu> char *sites[]={"http://www.geekwise.com",
Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
(302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */
(4861201) ------------------------------------------(Ombruten)
4870095 2000-03-07 07:34 /61 rader/ Postmaster
Mottagare: Bugtraq (import) <10111>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Message-ID: <20000304185543.1010.qmail@securityfocus.com>
Date: Sat, 4 Mar 2000 18:55:43 -0000
Reply-To: Ronald Huizer <ronald@GRAFIX.NL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Ronald Huizer <ronald@GRAFIX.NL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <XFMail.20000302065007.venglin@freebsd.lublin.pl>
>No. getenv() fails because *envp, argc, **argv are AFTER
>pathname[]
>buffer and gets overwritten.
>Of course, it is still exploitable.
It doesn't quite look that way to me.
The overflow takes place after the setuid(getuid()) call has
been made. Which renders execution of shellcode useless to
us.
The first overflow that is encountered in this way is NOT
the strpcy(pathname, disk) but the realpath() function which
expects pathname to be of size MAXPATHLEN instead of a mere
255 bytes. After this the buffer is overflown again by the
strcpy() call.
After patching pathname to be of MAXPATHLEN size the buffer
still gets overflown by the strcpy() function which should
be made to a strncpy() to function properly.
Full patch included (not a a workaround that just chokes in
a \0 at the end of char *disk).
--- main.c.old Fri Jan 21 11:17:41 2000
+++ main.c Sat Mar 4 19:42:13 2000
@@ -119,7 +119,7 @@
#ifdef __linux__
errcode_t retval;
char directory[NAME_MAX];
- char pathname[NAME_MAX];
+ char pathname[MAXPATHLEN];
#endif
time_t tnow;
char labelstr[LBLSIZE];
@@ -363,7 +363,7 @@
#ifdef HAVE_REALPATH
if (realpath(disk, pathname) == NULL)
#endif
- strcpy(pathname, disk);
+ strncpy(pathname, disk, MAXPATHLEN);
dt = fstabsearchdir(pathname, directory);
if (dt != NULL) {
char name[MAXPATHLEN];
Cheers,
Ronald Huizer - ronald@grafix.nl
(4870095) ------------------------------------------
4870112 2000-03-07 07:45 /103 rader/ Postmaster
Mottagare: Bugtraq (import) <10113>
Ärende: (fwd) Dump/restore 0.4b15 released
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Message-ID: <200003042213.RAA18339@pager.ce.net>
Date: Sat, 4 Mar 2000 17:13:14 -0500
Reply-To: Derek Callaway <super@PAGER.CE.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Derek Callaway <super@PAGER.CE.NET>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
-- forwarded message --
Path: netaxs.newsread.com!yellow.newsread.com!netaxs.com!newsread.com!uchinews!newsfeed.berkeley.edu!newsfeed1.swip.net!swipnet!newsfeed3.funet.fi!news.helsinki.fi!not-for-mail
From: Stelian Pop <pop@cybercable.fr>
Newsgroups: comp.os.linux.announce
Subject: Dump/restore 0.4b15 released
Followup-To: comp.os.linux.misc
Date: Sat, 4 Mar 2000 12:38:20 GMT
Organization: none
Lines: 61
Approved: linux-announce@news.ornl.gov (Mikko Rauhala)
Message-ID: <pycola.952173500.20135@revelation.bak.helsinki.fi>
NNTP-Posting-Host: hillowiener.in.helsinki.fi
X-Trace: oravannahka.helsinki.fi 952166866 19279 128.214.182.147 (4 Mar 2000 10:47:46 GMT)
X-Complaints-To: usenet@news.helsinki.fi
NNTP-Posting-Date: 4 Mar 2000 10:47:46 GMT
Old-Date: Thu, 02 Mar 2000 14:13:19 +0100
X-No-Archive: yes
X-Auth: PGPMoose V1.1 PGP comp.os.linux.announce
iQCVAgUBOMEDvVrUI/eHXJZ5AQFzoQQAhxfE8DBL7uTZzknLui1QjRZcVXMfzaY4
R/DD4boQIHEmP6X+dFZx34OJbaHgr7k1he7BHaqkvAHCD9WPtK7Ef/CBUmVOXEXa
NCK5NbqcFusPWzu/llzBL15WBbmjcbKialhWUtIJQbkJkyKZq8r9xt03jOZk614p
1IfprG8haN4=
=jDhr
Xref: netaxs.newsread.com comp.os.linux.announce:18927
-----BEGIN PGP SIGNED MESSAGE-----
A new maintenance release of dump/restore ext2fs backup utilities
has been released.
This release fixes some bugs and adds a useful option to dump. For
details, read the ChangeLog below.
Dump/restore is available for dowload/bug reporting at:
http://dump.sourceforge.net
Regards,
Stelian.
Changes between versions 0.4b14 and 0.4b15 (released March 2, 2000)
===================================================================
1. Added a prompt command in interactive restore mode. Thanks
to Andreas Dilger <adilger@home.com> for the patch.
2. Fixed a buffer overflow problem in dump (caused by
not checking the size of the filesystem parameter).
Thanks to Kim Yong-jun <loveyou@hackerslab.org> for
reporting this on Bugtraq (and to several dump users
who forwarded me his mail).
3. Added the '-F script' option to dump in order to
launch a script at the end of each tape (to be used
with a tape changer, or to notify the sysadmin by
pager etc.).
4. Fixed a bug in restore compare code caused by the changes
I made in 0.4b14.
5. Fixed the treatment of options using the old BSD syntax
in both dump and restore.
- --
Stelian Pop <pop@cybercable.fr>
- -- This article has been digitally signed by the moderator, using
PGP. http://www.iki.fi/mjr/cola-public-key.asc has PGP key for
validating signature. Send submissions for comp.os.linux.announce
to: linux-announce@news.ornl.gov PLEASE remember a short description
of the software and the LOCATION. This group is archived at
http://www.iki.fi/mjr/linux/cola.html
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1
iQCVAgUBOMEDvFrUI/eHXJZ5AQG5pwP5AWspKxiaAE+yxtCQc0btIAAMAI6/Xgxg
y4A7LhlHVzDbCfyaQAQZBEyoc59KhNEj1nR9tyTBI4AMOjlf3lH00Zbrujnf/Aid
Oh3UDmMabrwwx7mEQ1GsQ7AttXY+pwtyJJAhyTlr9NzAjS+lzsc+HAA6wKXttkj+
xKbotaLOXks=
=6tgS
-----END PGP SIGNATURE-----
-- end of forwarded message --
--
/* Derek Callaway <super@udel.edu> : Programmer; CE Net, Inc. -- S@IRC */
char *sites[]={"http://www.freezersearch.com/index.cfm?aff=dhc",
"http://www.geekwise.com","http://www.homeworkhelp.org",0};
(4870112) ------------------------------------------(Ombruten)
4870147 2000-03-07 08:21 /30 rader/ Postmaster
Mottagare: Bugtraq (import) <10117>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Message-ID: <XFMail.20000304000835.venglin@freebsd.lublin.pl>
Date: Sat, 4 Mar 2000 00:08:35 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Organization: Lublin BSD Users Group (www.freebsd.lublin.pl)
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10003021534400.5417-100000@pager.ce.net>
On 02-Mar-2000 Derek Callaway wrote:
> I believe this overflow is rather difficult to exploit, (although, not
> impossible) as a result of a setuid(getuid()) before the offending code
it does setuid(), but NOT setgid(). still vulnerable.
the major problem is how to pass valid **envp to stack and let
getenv() succesfully return. probably possible by giving pointer to
some valid environment in shared libs.
-- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL:
PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP:
D48684904685DF43 EA93AFA13BE170BF *
(4870147) ------------------------------------------(Ombruten)
4870432 2000-03-07 09:14 /42 rader/ Postmaster
Mottagare: Bugtraq (import) <10122>
Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Originating-IP: [195.130.132.50]
Message-ID: <20000303195341.10243.qmail@fiver.freemessage.com>
Date: Fri, 3 Mar 2000 19:53:41 -0000
Reply-To: Lamagra Argamal <lamagra@HACKERMAIL.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Lamagra Argamal <lamagra@HACKERMAIL.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
i checked RedHat's 5.2 dump (dump-0.3) and it doesn't seem vunerable
in an exploitable way. There's a minor heap-overflow though:
snipped from optr.c
msg(const char *fmt, ...)
{
.......
va_start(ap, fmt);
#else
va_start(ap);
#endif
(void) vfprintf(stderr, fmt, ap);
(void) fflush(stdout);
(void) fflush(stderr);
(void) vsprintf(lastmsg, fmt, ap);
va_end(ap);
......
}
Lastmsg is a global variable size = 100
-lamagra
http://lamagra.seKure.de
http://www.b0f.com
Send someone a cool Dynamitemail flashcard greeting!! And get
rewarded. GO AHEAD!
http://cards.dynamitemail.com/index.php3?rid=fc-41
(4870432) ------------------------------------------(Ombruten)
4910329 2000-03-17 01:53 /140 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10247>
Ärende: [TL-Security-Announce] dump-0.4b11-1 and earlier TLSA200007-1
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
TurboLinux Security Announcement
Package: dump-0.4b11-1 and earlier
Date: Wed Mar 15 12:03:18 PST 2000
Affected TurboLinux versions: 6.0.2 and earlier
Vulnerability Type: local buffer overrun
TurboLinux Advisory ID#: TLSA200007-1
BugTraq ID#: 1020
Credits: This vulnerability was posted to the Bugtraq mailing list by
KimYongJun <s96192@ce.hannam.ac.kr> on February 28, 2000.
______________________________________________________________________________
A security hole was discovered in the package mentioned above.
Please update the package in your installation as soon as possible or
disable the service.
_____________________________________________________________________________
1. Problem Summary
The dump utility is setuid and setgid root. Previous versions of
dump did not correctly drop the effective gid settings. When
passed an oversized argument to the "-f a" parameters, it will
overrun the stack. If this argument is crafted properly, it may
be possible to replace the instruction pointer or return address
on the stack and execute arbitrary code with the permissions of
the process (gid of root).
2. Impact
An attacker could use this overrun to execute code with the gid of
root, leading to further system compromise.
3. Solution
Update the package from our ftp server by running the following
command:
rpm -Fv ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/dump-0.4b16-1.i386.rpm
The source rpm can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/dump-0.4b16-1.src.rpm
**Note: You must rebuild and install the rpm if you choose to
download and install the srpm. Simply installing the srpm alone
WILL NOT CLOSE THE SECURITY HOLE.
Please verify the md5 checksum of the update before you install:
MD5 sum Package Name
- ------------------------------------------------------------
0a3777c176c1580fe44f03acfdc70f59 dump-0.4b16-1.i386.rpm
64f95b579e6a813f2f207f1817d8c5e8 dump-0.4b16-1.src.rpm
______________________________________________________________________________
You can find more updates on our ftp server:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation and Server security updates
ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation and Server security updates
Our webpage for security announcements:
http://www.turbolinux.com/security
If you want to report vulnerabilities, please contact:
rt-security@turbolinux.com
______________________________________________________________________________
Subscribe to the TurboLinux Security Mailing lists:
TL-security - A moderated list for discussing security issues in
TurboLinux products. Subscribe at
http://www.turbolinux.com/mailman/listinfo/tl-security
TL-security-announce - An announce-only mailing list for security
updates and alerts. Subscribe at
http://www.turbolinux.com/mailman/listinfo/tl-security-announce
______________________________________________________________________________
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDis8xgRBACKx6P//rFXRM/LpWRZDEFfzTXIvZzjEs7xTbE6CqhZhMgN6+9O
LwaHJzRq/hslHoUDEgxQX0eGB86mu4AaHrzv8ajzGhNhyOzH50qxK8y8ieqDsIkD
OkuYhep1VAyt036yIdXzDMee4M8+z6IFwAip6k4wNWsbCrW6IxRm5iC3gwCgobOS
Zp77Wq/hGnl3cAf3NukYXIED/1wdTCEfMTESTkg++ynBXU9Gw2ylKmvChj2Ew/FJ
ZJobaqmMr47i7aXf0+uu7/gYXmmRKA0B+ZRpmfZbL68ObSuLo7Srvjlv1U9fcTZy
Ja92MJELTmhcQPTmgj+/quIi98IjG6Mky/Ahzi+OcSrecGNdyvRAtK5OGot01ECJ
5O7XA/9K1Og1d4UTNVQS4BP+gyKMVDKRmX7TPyn3oLmwdozjYq7RFtdU2WvNdmpY
l2hHci6sQkgyFddqkCTBujQ0pcaZeVklzrCWUbglu61nhYFHMC9fgJkvvKWD6lOH
XXSiBml77oCIBuPCZxUOwyMUDbGQGRYM49rjzoflRmX1CwinQ7RhU2VjdXJpdHkg
TGlzdCBNb25pdG9yIChUbyBzaWduIHRoaXMga2V5LCBjb250YWN0IGs4ZUB0dXJi
b2xpbnV4LmNvbSkgPHNlY21vbkBtYWlsLnR1cmJvbGludXguY29tPohcBBMRAgAc
BQI4rPMYBQkB4TOABAsKBAMDFQMCAxYCAQIXgAAKCRDt5HtucdAp5CZ5AJ0UqQVG
zFuW+MH8CMIw8wUMmtBZowCgiZOKtPqwdR7OtouUmKTIhUpaNiS0P0thdGllIE1v
dXNzb3VyaXMgKFNlY3VyaXR5IExpc3QgTW9kZXJhdG9yKSA8azhlQHR1cmJvbGlu
dXguY29tPohcBBMRAgAcBQI4rPZEBQkB4TOABAsKBAMDFQMCAxYCAQIXgAAKCRDt
5HtucdAp5IXdAJ9NvehGNPB2r2rB1bM8jtHBLNPnZACfd7GtVb+PZK/BDENxwXuS
8lZITuy5Ag0EOKzzShAIALEu2sabwfahE2norzx2+jAFn+aBJmZDMWEE0z/WrcNQ
rTLXAtJ+mReEADEA/yscRlva2WkhctBic9/bTdXrv4Q6UoX7bs3N2UiqPOeU6YXP
jkKlPQSCLmJ68yrKG1YlpjRizQnCZsA1ylBWP3i+KKUkKDEHn/LUHi0dqWVuYsKu
sCEFoAxW0WWJ0uxDwXUTFIh+qdSbJ+xbgy/Yx6jL2Mro00n6jjp4qRDPJDjOOmqL
93ieniKziNcXS0sW6f2qFq1nKKQeYB0Ga5vGEWJMFxBbnOvutX1tGnqzeieTBKnn
8KBVwtSVI1ZlEuUYPt+RNIE0pL1af2xC56CNpo6fY3MAAwUIAJ47hbcZNkg5GCic
kaktBGs8Gk2fuG33KmlnmQ75oRBeQfaobJ6/xduOQuWHEOZpeyaxVJawu/9FKolN
Wsh0IZzN12HUmSCo28OQJw/SLdSnOk20QQmkcfSYAqU07D0yJtruQ7wpKPTUgQi9
ABPw6G5NFpvx3QIH78ikrAZsxOEAOyCtl8dnQphlRXOQJkJDwklZAStrOqzu2DPj
ytDWh4OJNsMZvPF/CByeal/Qoh4DzHEVflAF0Bje191whiHMpb4sF5EPg4EdfFd1
LrOio+cqFLFU+Pj2Bk22H38CpbJgDpae3mjVUxP2xuSY3/9f9/OdM9mcC45KJ2ue
Vktb+uaITAQYEQIADAUCOKzzSgUJAeEzgAAKCRDt5HtucdAp5L+3AJ9QAJh2IyoW
4hedBTVNW2/mSQG7+wCcDoeJUGJ5TiAHNtd3C1LqnN5FHD0=
=Hh08
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4z/tz7eR7bnHQKeQRAvkMAJ4lunOR1BWAoide8YOg0wK6lr/jNwCcDdFa
PQMUyJkVeMoY2mL77AcHWuQ=
=DKA0
-----END PGP SIGNATURE-----
_______________________________________________
TL-Security-Announce mailing list
TL-Security-Announce@www.turbolinux.com
http://www.turbolinux.com/mailman/listinfo/tl-security-announce
(4910329) ------------------------------------------(Ombruten)