4850594 2000-03-01 01:10 /75 rader/ Postmaster Mottagare: Bugtraq (import) <10018> Ärende: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com Message-ID: <200002280617.PAA13373@ce.hannam.ac.kr> Date: Mon, 28 Feb 2000 15:17:33 +0900 Reply-To: "±è¿ëÁØ KimYongJun (99Á¹¾÷)" <s96192@CE.HANNAM.AC.KR> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "±è¿ëÁØ KimYongJun (99Á¹¾÷)" <s96192@CE.HANNAM.AC.KR> X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM [ Hackerslab bug_paper ] Linux dump buffer overflow File : /sbin/dump SYSTEM : Linux INFO : The problem occurs when it gets the argument. It accepts the argument without checking out its length, and this causes the problem. It seems that this vulnerability also applies to RedHat Linux 6.2beta, the latest version. [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'` DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000 DUMP: Date of last level dump: the epoch DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem DUMP: SIGSEGV: ABORTING! Segmentation fault [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'` DUMP: SIGSEGV: ABORTING! Segmentation fault <= occur ctime4() How to fix ---------- patch : [root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c dump-0.4b13/dump/main.c --- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000 +++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000 @@ -273,6 +273,9 @@ exit(X_STARTUP); } disk = *argv++; + if ( strlen(disk) > 255 ) + exit(X_STARTUP); + argc--; if (argc >= 1) { (void)fprintf(stderr, "Unknown arguments to dump:"); hot fix : it is recommended that the suid bit is removed from dump using command : chmod a-s /sbin/dump - Yong-jun, Kim - e - mail : loveyou@hackerslab.org s96192@ce.hannam.ac.kr homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192 (4850594) ------------------------------------------(Ombruten) 4854430 2000-03-02 03:45 /73 rader/ Postmaster Mottagare: Bugtraq (import) <10065> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com X-Sender: super@pager.ce.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Message-ID: <Pine.LNX.4.10.10003010957570.3511-100000@pager.ce.net> Date: Wed, 1 Mar 2000 09:58:16 -0500 Reply-To: Derek Callaway <super@UDEL.EDU> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Derek Callaway <super@UDEL.EDU> X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by samantha.lysator.liu.se id DAA23376 On Mon, 28 Feb 2000, ±è¿ëÁØ KimYongJun (99Á¹¾÷) wrote: > [ Hackerslab bug_paper ] Linux dump buffer overflow <snip> > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'` > DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000 > DUMP: Date of last level dump: the epoch > DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem > DUMP: SIGSEGV: ABORTING! > Segmentation fault > <snip> Could this be a problem with glibc, as well? [super@white dump]$ pwd /usr/src/redhat/SOURCES/dump-0.4b4/dump [super@white dump]$ echo -e "ru -0 `perl -e 'print "A"x5000;'`\nbt" | gdb dump GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) Starting program: /usr/src/redhat/SOURCES/dump-0.4b4/dump/dump -0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <snipped long string> ---Type <return> to continue, or q <return> to quit---Program received signal SIGSEGV, Segmentation fault. getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88 88 ../sysdeps/generic/getenv.c: No such file or directory. (gdb) #0 getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88 #1 0x400b3f4a in tzset_internal (always=1094795585) at tzset.c:144 #2 0x400b4ceb in __tz_convert (timer=0xbfffd790, use_localtime=1, tp=0x4011e4e0) at tzset.c:575 #3 0x400b08bc in localtime (t=0xbfffd790) at localtime.c:43 #4 0x400b07f8 in ctime (t=0xbfffd790) at ctime.c:32 #5 0x804adde in main (argc=1094795585, argv=0x41414141) at main.c:355 (gdb) [super@white dump]$ From this gdb session, it appears that there _could_ be a problem with the way that glibc's time functions behave. -- /* Derek Callaway <super@udel.edu> char *sites[]={"http://www.geekwise.com", Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc", (302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */ (4854430) ------------------------------------------ 4854508 2000-03-02 05:43 /54 rader/ Postmaster Mottagare: Bugtraq (import) <10073> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-ID: <38BC8725.99447F91@secureaustin.com> Date: Tue, 29 Feb 2000 20:57:41 -0600 Reply-To: H D Moore <hdm@SECUREAUSTIN.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: H D Moore <hdm@SECUREAUSTIN.COM> X-To: "=?iso-8859-1?Q?=B1=E8=BF=EB=C1=D8?= KimYongJu (=?iso-8859-1?Q?99=C1=B9=BE=F7?=)" <s96192@CE.HANNAM.AC.KR> X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id FAA26676 Hi, Confirmed this on SuSE 6.2. The magic number of bytes is 347. Dump is not su/gid so this seems to be more of an annoyance than a security issue for SuSE boxen (not sure of others). -HD "±è¿ëÁØ KimYongJun (99Á¹¾÷)" wrote: > > [ Hackerslab bug_paper ] Linux dump buffer overflow > > File : /sbin/dump > > SYSTEM : Linux > > INFO : > > The problem occurs when it gets the argument. > It accepts the argument without checking out its length, and this causes the problem. > > It seems that this vulnerability also applies to RedHat Linux 6.2beta, > the latest version. > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'` > DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000 > DUMP: Date of last level dump: the epoch > DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem > DUMP: SIGSEGV: ABORTING! > Segmentation fault > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'` > DUMP: SIGSEGV: ABORTING! > Segmentation fault <= occur ctime4() > (4854508) ------------------------------------------(Ombruten) 4857524 2000-03-02 19:37 /27 rader/ Postmaster Mottagare: Bugtraq (import) <10083> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.GSO.4.21.0003012332100.21759-100000@vellocet.insync.net> Date: Wed, 1 Mar 2000 23:34:12 -0600 Reply-To: Joe Shaw <jshaw@INSYNC.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Joe Shaw <jshaw@INSYNC.NET> X-To: Brett Lymn <blymn@BAEA.COM.AU> X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <200003010038.LAA09130@mallee.awadi> This is the same behavior as all my OpenBSD 2.6-Release boxes. /sbin/dump is also not SUID/SGID on these systems by default. -- Joseph W. Shaw - jshaw@insync.net Free UNIX advocate - "I hack, therefore I am." On Wed, 1 Mar 2000, Brett Lymn wrote: > NetBSD-current, at least, is not vulnerable to this. It just returns > a filename too long error. I do not have a release version of NetBSD > to try this on at the moment. (4857524) ------------------------------------------(Ombruten) 4857616 2000-03-02 20:23 /31 rader/ Postmaster Mottagare: Bugtraq (import) <10086> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Message-ID: <XFMail.20000302065007.venglin@freebsd.lublin.pl> Date: Thu, 2 Mar 2000 06:50:07 +0100 Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> Organization: Lublin BSD Users Group (www.freebsd.lublin.pl) X-To: Derek Callaway <super@UDEL.EDU> X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <Pine.LNX.4.10.10003010957570.3511-100000@pager.ce.net> On 01-Mar-2000 Derek Callaway wrote: > (gdb) #0 getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88 >>From this gdb session, it appears that there _could_ be a problem with > the way that glibc's time functions behave. No. getenv() fails because *envp, argc, **argv are AFTER pathname[] buffer and gets overwritten. Of course, it is still exploitable. -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * (4857616) ------------------------------------------(Ombruten) 4857705 2000-03-02 21:13 /105 rader/ Postmaster Mottagare: Bugtraq (import) <10088> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Message-ID: <01d501bf8462$cca09280$199215a5@eugenteo> Date: Fri, 3 Mar 2000 00:16:45 +0800 Reply-To: Eugene Teo <eugeneteo@EUGENETEO.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Eugene Teo <eugeneteo@EUGENETEO.NET> X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM server running Redhat 6.1 doesn't seem to be vulnerable to this. Like NetBSD, It just returns a filename too long error. anyhow, i remove the suid bit from dump. -- Eugene Teo - http://www.eugeneteo.net - http://linux.com.sg Email: eugeneteo@eugeneteo.net, eugeneteo@linux.com.sg ----- Original Message ----- From: ±è¿ëÁØ KimYongJun (99Á¹¾÷) <s96192@CE.HANNAM.AC.KR> To: <BUGTRAQ@SECURITYFOCUS.COM> Sent: Monday, February 28, 2000 2:17 PM Subject: [ Hackerslab bug_paper ] Linux dump buffer overflow > [ Hackerslab bug_paper ] Linux dump buffer overflow > > > File : /sbin/dump > > SYSTEM : Linux > > > INFO : > > > The problem occurs when it gets the argument. > It accepts the argument without checking out its length, and this causes the problem. > > It seems that this vulnerability also applies to RedHat Linux 6.2beta, > the latest version. > > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "x" x 556'` > DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000 > DUMP: Date of last level dump: the epoch > DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem > DUMP: SIGSEGV: ABORTING! > Segmentation fault > > [loveyou@loveyou SOURCES]$ dump -f a `perl -e 'print "loveyou" x 556'` > DUMP: SIGSEGV: ABORTING! > Segmentation fault <= occur ctime4() > > > How to fix > ---------- > > patch : > > [root@loveyou SOURCES]# diff -ru dump-0.4b13/dump/main_orig.c dump-0.4b13/dump/main.c > --- dump-0.4b13/dump/main_orig.c Mon Feb 28 14:40:01 2000 > +++ dump-0.4b13/dump/main.c Mon Feb 28 14:40:57 2000 > @@ -273,6 +273,9 @@ > exit(X_STARTUP); > } > disk = *argv++; > + if ( strlen(disk) > 255 ) > + exit(X_STARTUP); > + > argc--; > if (argc >= 1) { > (void)fprintf(stderr, "Unknown arguments to dump:"); > > > > hot fix : > it is recommended that the suid bit is > removed from dump using command : > > chmod a-s /sbin/dump > > > > > - Yong-jun, Kim - > e - mail : loveyou@hackerslab.org s96192@ce.hannam.ac.kr > homepage : http://www.hackerslab.org http://ce.hannam.ac.kr/~s96192 (4857705) ------------------------------------------ 4861201 2000-03-03 21:09 /44 rader/ Postmaster Mottagare: Bugtraq (import) <10101> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com X-Sender: super@pager.ce.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.10.10003021534400.5417-100000@pager.ce.net> Date: Thu, 2 Mar 2000 15:48:05 -0500 Reply-To: Derek Callaway <super@UDEL.EDU> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Derek Callaway <super@UDEL.EDU> X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <01d501bf8462$cca09280$199215a5@eugenteo> On Fri, 3 Mar 2000, Eugene Teo wrote: > server running Redhat 6.1 doesn't seem to be vulnerable to this. Like Not true -- RedHat is vulnerable. The example given by KimYongJun shows an overflow with only 556 characters. 556 bytes doesn't seem to overflow the RedHat version of dump; it only produces a filename too long error as you stated. This causes a Segmentation fault on my RedHat 6.1 machine: [super@white super]$ rpm -qf /sbin/dump dump-0.4b4-11 [super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'` DUMP: SIGSEGV: ABORTING! Segmentation fault According to http://rpmfind.net/linux/RPM/redhat/6.1/i386/dump-0.4b4-11.i386.html, dump-0.4b4-11 is the version of dump that is distributed with RedHat 6.1. I believe this overflow is rather difficult to exploit, (although, not impossible) as a result of a setuid(getuid()) before the offending code and the signal handler for SIGSEGV. <snip> -- /* Derek Callaway <super@udel.edu> char *sites[]={"http://www.geekwise.com", Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc", (302) 837-8769 "http://www.homeworkhelp.org",0}; S@IRC */ (4861201) ------------------------------------------(Ombruten) 4870095 2000-03-07 07:34 /61 rader/ Postmaster Mottagare: Bugtraq (import) <10111> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Message-ID: <20000304185543.1010.qmail@securityfocus.com> Date: Sat, 4 Mar 2000 18:55:43 -0000 Reply-To: Ronald Huizer <ronald@GRAFIX.NL> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Ronald Huizer <ronald@GRAFIX.NL> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <XFMail.20000302065007.venglin@freebsd.lublin.pl> >No. getenv() fails because *envp, argc, **argv are AFTER >pathname[] >buffer and gets overwritten. >Of course, it is still exploitable. It doesn't quite look that way to me. The overflow takes place after the setuid(getuid()) call has been made. Which renders execution of shellcode useless to us. The first overflow that is encountered in this way is NOT the strpcy(pathname, disk) but the realpath() function which expects pathname to be of size MAXPATHLEN instead of a mere 255 bytes. After this the buffer is overflown again by the strcpy() call. After patching pathname to be of MAXPATHLEN size the buffer still gets overflown by the strcpy() function which should be made to a strncpy() to function properly. Full patch included (not a a workaround that just chokes in a \0 at the end of char *disk). --- main.c.old Fri Jan 21 11:17:41 2000 +++ main.c Sat Mar 4 19:42:13 2000 @@ -119,7 +119,7 @@ #ifdef __linux__ errcode_t retval; char directory[NAME_MAX]; - char pathname[NAME_MAX]; + char pathname[MAXPATHLEN]; #endif time_t tnow; char labelstr[LBLSIZE]; @@ -363,7 +363,7 @@ #ifdef HAVE_REALPATH if (realpath(disk, pathname) == NULL) #endif - strcpy(pathname, disk); + strncpy(pathname, disk, MAXPATHLEN); dt = fstabsearchdir(pathname, directory); if (dt != NULL) { char name[MAXPATHLEN]; Cheers, Ronald Huizer - ronald@grafix.nl (4870095) ------------------------------------------ 4870112 2000-03-07 07:45 /103 rader/ Postmaster Mottagare: Bugtraq (import) <10113> Ärende: (fwd) Dump/restore 0.4b15 released ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com Message-ID: <200003042213.RAA18339@pager.ce.net> Date: Sat, 4 Mar 2000 17:13:14 -0500 Reply-To: Derek Callaway <super@PAGER.CE.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Derek Callaway <super@PAGER.CE.NET> X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM -- forwarded message -- Path: netaxs.newsread.com!yellow.newsread.com!netaxs.com!newsread.com!uchinews!newsfeed.berkeley.edu!newsfeed1.swip.net!swipnet!newsfeed3.funet.fi!news.helsinki.fi!not-for-mail From: Stelian Pop <pop@cybercable.fr> Newsgroups: comp.os.linux.announce Subject: Dump/restore 0.4b15 released Followup-To: comp.os.linux.misc Date: Sat, 4 Mar 2000 12:38:20 GMT Organization: none Lines: 61 Approved: linux-announce@news.ornl.gov (Mikko Rauhala) Message-ID: <pycola.952173500.20135@revelation.bak.helsinki.fi> NNTP-Posting-Host: hillowiener.in.helsinki.fi X-Trace: oravannahka.helsinki.fi 952166866 19279 128.214.182.147 (4 Mar 2000 10:47:46 GMT) X-Complaints-To: usenet@news.helsinki.fi NNTP-Posting-Date: 4 Mar 2000 10:47:46 GMT Old-Date: Thu, 02 Mar 2000 14:13:19 +0100 X-No-Archive: yes X-Auth: PGPMoose V1.1 PGP comp.os.linux.announce iQCVAgUBOMEDvVrUI/eHXJZ5AQFzoQQAhxfE8DBL7uTZzknLui1QjRZcVXMfzaY4 R/DD4boQIHEmP6X+dFZx34OJbaHgr7k1he7BHaqkvAHCD9WPtK7Ef/CBUmVOXEXa NCK5NbqcFusPWzu/llzBL15WBbmjcbKialhWUtIJQbkJkyKZq8r9xt03jOZk614p 1IfprG8haN4= =jDhr Xref: netaxs.newsread.com comp.os.linux.announce:18927 -----BEGIN PGP SIGNED MESSAGE----- A new maintenance release of dump/restore ext2fs backup utilities has been released. This release fixes some bugs and adds a useful option to dump. For details, read the ChangeLog below. Dump/restore is available for dowload/bug reporting at: http://dump.sourceforge.net Regards, Stelian. Changes between versions 0.4b14 and 0.4b15 (released March 2, 2000) =================================================================== 1. Added a prompt command in interactive restore mode. Thanks to Andreas Dilger <adilger@home.com> for the patch. 2. Fixed a buffer overflow problem in dump (caused by not checking the size of the filesystem parameter). Thanks to Kim Yong-jun <loveyou@hackerslab.org> for reporting this on Bugtraq (and to several dump users who forwarded me his mail). 3. Added the '-F script' option to dump in order to launch a script at the end of each tape (to be used with a tape changer, or to notify the sysadmin by pager etc.). 4. Fixed a bug in restore compare code caused by the changes I made in 0.4b14. 5. Fixed the treatment of options using the old BSD syntax in both dump and restore. - -- Stelian Pop <pop@cybercable.fr> - -- This article has been digitally signed by the moderator, using PGP. http://www.iki.fi/mjr/cola-public-key.asc has PGP key for validating signature. Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov PLEASE remember a short description of the software and the LOCATION. This group is archived at http://www.iki.fi/mjr/linux/cola.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 iQCVAgUBOMEDvFrUI/eHXJZ5AQG5pwP5AWspKxiaAE+yxtCQc0btIAAMAI6/Xgxg y4A7LhlHVzDbCfyaQAQZBEyoc59KhNEj1nR9tyTBI4AMOjlf3lH00Zbrujnf/Aid Oh3UDmMabrwwx7mEQ1GsQ7AttXY+pwtyJJAhyTlr9NzAjS+lzsc+HAA6wKXttkj+ xKbotaLOXks= =6tgS -----END PGP SIGNATURE----- -- end of forwarded message -- -- /* Derek Callaway <super@udel.edu> : Programmer; CE Net, Inc. -- S@IRC */ char *sites[]={"http://www.freezersearch.com/index.cfm?aff=dhc", "http://www.geekwise.com","http://www.homeworkhelp.org",0}; (4870112) ------------------------------------------(Ombruten) 4870147 2000-03-07 08:21 /30 rader/ Postmaster Mottagare: Bugtraq (import) <10117> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Message-ID: <XFMail.20000304000835.venglin@freebsd.lublin.pl> Date: Sat, 4 Mar 2000 00:08:35 +0100 Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> Organization: Lublin BSD Users Group (www.freebsd.lublin.pl) X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <Pine.LNX.4.10.10003021534400.5417-100000@pager.ce.net> On 02-Mar-2000 Derek Callaway wrote: > I believe this overflow is rather difficult to exploit, (although, not > impossible) as a result of a setuid(getuid()) before the offending code it does setuid(), but NOT setgid(). still vulnerable. the major problem is how to pass valid **envp to stack and let getenv() succesfully return. probably possible by giving pointer to some valid environment in shared libs. -- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * (4870147) ------------------------------------------(Ombruten) 4870432 2000-03-07 09:14 /42 rader/ Postmaster Mottagare: Bugtraq (import) <10122> Ärende: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com X-Originating-IP: [195.130.132.50] Message-ID: <20000303195341.10243.qmail@fiver.freemessage.com> Date: Fri, 3 Mar 2000 19:53:41 -0000 Reply-To: Lamagra Argamal <lamagra@HACKERMAIL.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Lamagra Argamal <lamagra@HACKERMAIL.NET> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM i checked RedHat's 5.2 dump (dump-0.3) and it doesn't seem vunerable in an exploitable way. There's a minor heap-overflow though: snipped from optr.c msg(const char *fmt, ...) { ....... va_start(ap, fmt); #else va_start(ap); #endif (void) vfprintf(stderr, fmt, ap); (void) fflush(stdout); (void) fflush(stderr); (void) vsprintf(lastmsg, fmt, ap); va_end(ap); ...... } Lastmsg is a global variable size = 100 -lamagra http://lamagra.seKure.de http://www.b0f.com Send someone a cool Dynamitemail flashcard greeting!! And get rewarded. GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41 (4870432) ------------------------------------------(Ombruten) 4910329 2000-03-17 01:53 /140 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <10247> Ärende: [TL-Security-Announce] dump-0.4b11-1 and earlier TLSA200007-1 ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ TurboLinux Security Announcement Package: dump-0.4b11-1 and earlier Date: Wed Mar 15 12:03:18 PST 2000 Affected TurboLinux versions: 6.0.2 and earlier Vulnerability Type: local buffer overrun TurboLinux Advisory ID#: TLSA200007-1 BugTraq ID#: 1020 Credits: This vulnerability was posted to the Bugtraq mailing list by KimYongJun <s96192@ce.hannam.ac.kr> on February 28, 2000. ______________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update the package in your installation as soon as possible or disable the service. _____________________________________________________________________________ 1. Problem Summary The dump utility is setuid and setgid root. Previous versions of dump did not correctly drop the effective gid settings. When passed an oversized argument to the "-f a" parameters, it will overrun the stack. If this argument is crafted properly, it may be possible to replace the instruction pointer or return address on the stack and execute arbitrary code with the permissions of the process (gid of root). 2. Impact An attacker could use this overrun to execute code with the gid of root, leading to further system compromise. 3. Solution Update the package from our ftp server by running the following command: rpm -Fv ftp_path_to_filename Where ftp_path_to_filename is the following: ftp://ftp.turbolinux.com/pub/updates/6.0/security/dump-0.4b16-1.i386.rpm The source rpm can be downloaded here: ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/dump-0.4b16-1.src.rpm **Note: You must rebuild and install the rpm if you choose to download and install the srpm. Simply installing the srpm alone WILL NOT CLOSE THE SECURITY HOLE. Please verify the md5 checksum of the update before you install: MD5 sum Package Name - ------------------------------------------------------------ 0a3777c176c1580fe44f03acfdc70f59 dump-0.4b16-1.i386.rpm 64f95b579e6a813f2f207f1817d8c5e8 dump-0.4b16-1.src.rpm ______________________________________________________________________________ You can find more updates on our ftp server: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation and Server security updates ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation and Server security updates Our webpage for security announcements: http://www.turbolinux.com/security If you want to report vulnerabilities, please contact: rt-security@turbolinux.com ______________________________________________________________________________ Subscribe to the TurboLinux Security Mailing lists: TL-security - A moderated list for discussing security issues in TurboLinux products. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security TL-security-announce - An announce-only mailing list for security updates and alerts. Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security-announce ______________________________________________________________________________ - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDis8xgRBACKx6P//rFXRM/LpWRZDEFfzTXIvZzjEs7xTbE6CqhZhMgN6+9O LwaHJzRq/hslHoUDEgxQX0eGB86mu4AaHrzv8ajzGhNhyOzH50qxK8y8ieqDsIkD OkuYhep1VAyt036yIdXzDMee4M8+z6IFwAip6k4wNWsbCrW6IxRm5iC3gwCgobOS Zp77Wq/hGnl3cAf3NukYXIED/1wdTCEfMTESTkg++ynBXU9Gw2ylKmvChj2Ew/FJ ZJobaqmMr47i7aXf0+uu7/gYXmmRKA0B+ZRpmfZbL68ObSuLo7Srvjlv1U9fcTZy Ja92MJELTmhcQPTmgj+/quIi98IjG6Mky/Ahzi+OcSrecGNdyvRAtK5OGot01ECJ 5O7XA/9K1Og1d4UTNVQS4BP+gyKMVDKRmX7TPyn3oLmwdozjYq7RFtdU2WvNdmpY l2hHci6sQkgyFddqkCTBujQ0pcaZeVklzrCWUbglu61nhYFHMC9fgJkvvKWD6lOH XXSiBml77oCIBuPCZxUOwyMUDbGQGRYM49rjzoflRmX1CwinQ7RhU2VjdXJpdHkg TGlzdCBNb25pdG9yIChUbyBzaWduIHRoaXMga2V5LCBjb250YWN0IGs4ZUB0dXJi b2xpbnV4LmNvbSkgPHNlY21vbkBtYWlsLnR1cmJvbGludXguY29tPohcBBMRAgAc BQI4rPMYBQkB4TOABAsKBAMDFQMCAxYCAQIXgAAKCRDt5HtucdAp5CZ5AJ0UqQVG zFuW+MH8CMIw8wUMmtBZowCgiZOKtPqwdR7OtouUmKTIhUpaNiS0P0thdGllIE1v dXNzb3VyaXMgKFNlY3VyaXR5IExpc3QgTW9kZXJhdG9yKSA8azhlQHR1cmJvbGlu dXguY29tPohcBBMRAgAcBQI4rPZEBQkB4TOABAsKBAMDFQMCAxYCAQIXgAAKCRDt 5HtucdAp5IXdAJ9NvehGNPB2r2rB1bM8jtHBLNPnZACfd7GtVb+PZK/BDENxwXuS 8lZITuy5Ag0EOKzzShAIALEu2sabwfahE2norzx2+jAFn+aBJmZDMWEE0z/WrcNQ rTLXAtJ+mReEADEA/yscRlva2WkhctBic9/bTdXrv4Q6UoX7bs3N2UiqPOeU6YXP jkKlPQSCLmJ68yrKG1YlpjRizQnCZsA1ylBWP3i+KKUkKDEHn/LUHi0dqWVuYsKu sCEFoAxW0WWJ0uxDwXUTFIh+qdSbJ+xbgy/Yx6jL2Mro00n6jjp4qRDPJDjOOmqL 93ieniKziNcXS0sW6f2qFq1nKKQeYB0Ga5vGEWJMFxBbnOvutX1tGnqzeieTBKnn 8KBVwtSVI1ZlEuUYPt+RNIE0pL1af2xC56CNpo6fY3MAAwUIAJ47hbcZNkg5GCic kaktBGs8Gk2fuG33KmlnmQ75oRBeQfaobJ6/xduOQuWHEOZpeyaxVJawu/9FKolN Wsh0IZzN12HUmSCo28OQJw/SLdSnOk20QQmkcfSYAqU07D0yJtruQ7wpKPTUgQi9 ABPw6G5NFpvx3QIH78ikrAZsxOEAOyCtl8dnQphlRXOQJkJDwklZAStrOqzu2DPj ytDWh4OJNsMZvPF/CByeal/Qoh4DzHEVflAF0Bje191whiHMpb4sF5EPg4EdfFd1 LrOio+cqFLFU+Pj2Bk22H38CpbJgDpae3mjVUxP2xuSY3/9f9/OdM9mcC45KJ2ue Vktb+uaITAQYEQIADAUCOKzzSgUJAeEzgAAKCRDt5HtucdAp5L+3AJ9QAJh2IyoW 4hedBTVNW2/mSQG7+wCcDoeJUGJ5TiAHNtd3C1LqnN5FHD0= =Hh08 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4z/tz7eR7bnHQKeQRAvkMAJ4lunOR1BWAoide8YOg0wK6lr/jNwCcDdFa PQMUyJkVeMoY2mL77AcHWuQ= =DKA0 -----END PGP SIGNATURE----- _______________________________________________ TL-Security-Announce mailing list TL-Security-Announce@www.turbolinux.com http://www.turbolinux.com/mailman/listinfo/tl-security-announce (4910329) ------------------------------------------(Ombruten)