Date: Thu, 10 Oct 2002 00:23:43 -0700 (PDT) From: pavel stano <stanojr@iserver.sk> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/43886: local exploitable overflow in rogue Message-ID: <200210100723.g9A7NhPs098780@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 43886 >Category: misc >Synopsis: local exploitable overflow in rogue >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 10 00:30:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: pavel stano >Release: 4.6-RELEASE >Organization: none >Environment: >Description: VULNERABLE APPLICATION: rogue in FreeBSD (tested on 4.6-RELEASE) ABOUT APPLICATION: rogue is a fantasy game which is indirectly setgid games IMPACT: low/medium EXPLOITATION: we can be egid=games, with this we can: 1. edit score files in /var/games 2. /var/games use as a storage directory (typicaly when we are limited by quota) SOLUTION: 1. disabling rogue game via /etc/dm.conf (mad rogueists KILL YOU) 2. fix in the source code ABOUT BUG: At first about dm (from man page): Dm is a program used to regulate game playing. Dm expects to be invoked with the name of a game that a user wishes to play. This is done by cre- ating symbolic links to dm, in the directory /usr/games for all of the regulated games. The actual binaries for these games should be placed in a ``hidden'' directory, /usr/games/hide, that may only be accessed by the dm program. Dm determines if the requested game is available and, if so, runs it. The file /etc/dm.conf controls the conditions under which games may be run. /usr/games/dm is of course setgid games Other games which don`t needed games euid revoke privileges after start. Games which needed games euid after start open the score file and revoke privileges. Rogue don`t revoke privileges after start, it run egid games. Vulnerability is in restoring saved game. There is a function read_string in restore function in save.c file which don`t check the size of variable. We can rewrite an address in GOT (as in my attached exploit). ATTACHMENTS: instant-rogue-exp.sh - instant exploit to get egid=games exploit is here:http://www.iserver.sk/~stanojr/instant-rogue-exp.sh AUTHOR: stanojr@iserver.sk ps: sorry, i know, my english is very bad :] >How-To-Repeat: >Fix: check netbsd sources, they fix it >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210100723.g9A7NhPs098780>