COMMAND

    dumpreg

SYSTEMS AFFECTED

    Linux RedHat 5.1

PROBLEM

    Zachary  Amsden  found  following.   The  dumpreg utility included
    with redhat 5.1 can cause kernel crashes.  The reasons is that  it
    opens /dev/mem with O_RDWR access and blindly prints its output to
    fd 1.  This can be  trivially exploited with a simple program  and
    run by any local user to corrupt kernel memory.  Results may vary,
    but a crash is pretty much inevitable given enough time.

    No  script  for  you  kiddies,  guess  you'll have to learn how to
    program.

SOLUTION

    A  quick  fix  would  be  to  remove setuid privs from the dumpreg
    program, as this is not needed for normal use.  It's worth  noting
    that the  fdalloc patch  for OpenBSD  that Theo  de Raadt  briefly
    mentioned addresses  this issue  by forcing  suid/sgid programs to
    have  open  files  (specifically  /dev/null)  on fd's 0..2 so that
    things like printf() and fprintf(stderr,...) don't cause the  sort
    of problem you're highlighting.  See:

        http://www.openbsd.org/security.html

    and click on "Jul 2, 1998: setuid and setgid processes should  not
    be executed with fd slots 0, 1, or 2 free. (patch included).")