COMMAND

    dump

SYSTEMS AFFECTED

    Linux

PROBLEM

    [Hackerslab  bug_paper]  brought  to  public  Linux  dump   buffer
    overflow.   The  problem  occurs  when  it  gets the argument.  It
    accepts the  argument without  checking out  its length,  and this
    causes the problem.  It seems that this vulnerability also applies
    to RedHat Linux 6.2beta, the latest version.

        [loveyou@loveyou SOURCES]$ dump  -f a `perl -e 'print "x" x 556'`
          DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
          DUMP: Date of last level  dump: the epoch
          DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem
          DUMP: SIGSEGV: ABORTING!
        Segmentation fault

        [loveyou@loveyou SOURCES]$ dump  -f a `perl -e 'print "loveyou" x 556'`
          DUMP: SIGSEGV: ABORTING!
        Segmentation fault    <=  occur ctime4()

    The example given  by KimYongJun shows  an overflow with  only 556
    characters.  556 bytes doesn't seem to overflow the RedHat version
    of dump; it only produces a filename too long error as you stated.
    This causes a Segmentation fault on my RedHat 6.1 machine:

        [super@white super]$ rpm -qf /sbin/dump
        dump-0.4b4-11
        [super@white super]$ /sbin/dump -0 `perl -e 'print "a"x1024;'`
          DUMP: SIGSEGV: ABORTING!
        Segmentation fault

    This is confirmed this on SuSE 6.2.  The magic number of bytes  is
    347.  Dump is not su/gid so this seems to be more of an  annoyance
    than a security issue for SuSE boxen (not sure of others).

    On FreeBSD dump has the same hole. but only older versions.

SOLUTION

    Hot fix: it is recommended that the suid bit is removed from  dump
    using command:

        chmod a-s /sbin/dump

    NetBSD-current, at  least, is  not vulnerable  to this.   It  just
    returns a filename too long error.   This is the same behavior  as
    all OpenBSD 2.6-Release boxes.   /sbin/dump is also not  SUID/SGID
    on these systems by default.

    This was fixed  on 1999/11/30 in  FreeBSD 4.0-CURRENT by  internal
    security  auditing  and  backported  to  3.3-STABLE on 1999/12/13.
    Therefore FreeBSD 3.4 (the most recent release) is not vulnerable.

    There is also new version 0.4b15 that fixes issue.

    For Turbo Linux update the package from our ftp server by  running
    the following command:

        rpm -Fv ftp://ftp.turbolinux.com/pub/updates/6.0/security/dump-0.4b16-1.i386.rpm

    The source rpm can be downloaded here:

        ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/dump-0.4b16-1.src.rpm

    Note:  You  must  rebuild  and  install  the  rpm if you choose to
    download and install the srpm.   Simply installing the srpm  alone
    WILL NOT CLOSE THE SECURITY HOLE.