lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031204205021.93693.qmail@web25107.mail.ukl.yahoo.com>
Date: Thu, 4 Dec 2003 20:50:21 +0000 (GMT)
From: Shaun Colley <shaunige@...oo.co.uk>
To: bugtraq@...urityfocus.com
Subject: Linux 4inarow game multiple vulnerabilities.


~*~*~*~*~*~*~*
Introduction
~*~*~*~*~*~*~*

4inarow is a small network compatible Linux 4-in-a-row
clone for two player.  There's a few bugs in the
client program which may allow an attacker to execute
commands or run arbitrary code via a buffer overflow. 
4inarow is not SUID or SGID 'games' by default, but
many administrators enable the SGID 'games' bit on any
games they install for convenience, as most other
games are SGID.


~*~*~*~*~*~*~*
Bugs
~*~*~*~*~*~*~*


1) Changing PATH variable to execute commands.

The 4inarow client program executes the 'clear'
command when it calls the function 'print_game()' upon
connection to the game server ('4rowserver').
Assuming that the 4inarow client program (called
'4inarow') is SGID 'games' (or any other group for
that matter), an attacker could change the PATH
environmental variable, resulting in execution of a
different program by the name of 'clear'.  If an
attacker changed the PATH environmental variable to a
path holding a script or binary by the file name of
'clear', arbitrary commands could be executed.


2) Executing arbitrary code via a buffer overflow in
the client program.

Assuming the 4inarow client program has been set to
SGID 'games' by the root user, privilege execution
could occur via a buffer overflow.  The client program
calls the 'sscanf()' library function to blindly copy
a potentially large string into a small character
array without bounds checking, allowing potentially
for an attacker to cause a buffer overflow, and thus
executing arbitrary code.  Here's a small PoC shell
script for the bug.

-----------START HERE----------
./4rowserver &
echo `perl -e 'print "a"x20000'` | ./4inarow localhost
; ./4inarow localhost
-----------START HERE----------

The shell script should produce a segmentation fault. 
In the core file, you can see that certain registers
are overwritten by 0x61, hex for a.


~*~*~*~*~*~*~*
Fix
~*~*~*~*~*~*~*

A workaround for this is to not set SGID games on the
game. :)

'chmod -S 4inarow' if the client is SGID.



Thank you for your time.
Shaun.



________________________________________________________________________
Download Yahoo! Messenger now for a chance to win Live At Knebworth DVDs
http://www.yahoo.co.uk/robbiewilliams


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ