[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] dump allows remote root exploit



Synopsis
========
dump contains a buffer overflow that can be exploited to gain root.

Problem Description
===================
The dump/restore programs under Linux contain a buffer overflow. If these
programs are installed setuid root (as they are under RedHat 6.x,
Mandrake, and probably others), this bug can be exploited to gain
root access. Even remote exploits are possible.

!! My machine currently receives several requests from the internet !!
!! every week trying to access dump.                                !!

Affected Systems
================
Every system that has dump and/or restore installed with the suid-root bit set.

RedHat 5.x, 6.x

Mandrake claims that it is not vulnerable although dump is suid-root because
the published exploit does not work. However, this may just mean that the
exploits they have tried did not work. Mandrake still can be vulnerable.
I strongly recommend to remove the suid-root bit in this case as well. See
"Workaround" below.

Not Affected
============
RedHat 7.0

Workaround
==========
If you do not use dump/restore for backup purposes you should remove the
package from your system: "rpm -e dump dump-static rmt". You can use tar
to backup your system.

If you want to continue using dump, you must remove the suid-root bit:

chmod 755 /sbin/dump /sbin/dump.static /sbin/restore /sbin/restore.static

Furthermore, you should restrict access to portmap with tcp_wrappers in
order to prevent remote access to dump/restore.

Solution
========
RedHat 6.x
rpm -Fvh dump-0.4b19-5.6x.i386.rpm dump-static-0.4b19-5.6x.i386.rpm rmt-0.4b19-5.6x.i386.rpm