lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 24 Mar 2006 14:38:35 -0500
From: Chris Gianelloni <wolf31o2@...rter.net>
To: bugtraq@...urityfocus.com
Subject: Re: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local
	privilege escalation


On Fri, 2006-03-24 at 03:26 -0800, neeko@...lingsinister.net wrote:
> Doesn't the included text from the advisory really make it sound more like a 
> problem with their system for managing games?  It doesn't point out any flaw 
> in nethack in general, just behavior that's unexpected/unwanted/uncontrollable
> in their system.

It isn't a vulnerability in nethack, per se.

The problem is that we do not have games running as setgid games.
Because of this, we use the games group to control access to who can run
games, such as nethack.  The problem stems from the ability of a user in
the games group to modify the scores file.  When the file is read, it
isn't validated properly, allowing for code to be executed by anyone
running nethack.

> Are any other distributions/platforms vulnerable to a problem in nethack like
> this?  Sounds like it'd be big news, considering the install base of these
> games.

I honestly do not know what policy other distributions follow, so I
cannot answer this.

> If this problem is on their end, are other games/applications able to trigger
> it?

So far we have not found any other games that allow code execution.  The
most that is "vulnerable" is people's ability to change their own score.

> They've essentially wiped these fundamental applications (sorry) off their
> tree for the time being, that's pretty severe.

No.  They have been masked to allow the user to decide for themselves if
they wish to take the risk of having the game installed.  On a system
where there is only a single user, or one where only trusted users are
in the games group, there is no issue.

> Does anyone have any insight into this?  I'm a big nethack fan..

Well, I'm one of the members of Gentoo's games team, so I'm a pretty
good resource on this.

(Posting from my home address since my Gentoo one isn't registered with
the list)

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ