From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 04:40:30 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E64016A421 for ; Sun, 16 Oct 2005 04:40:30 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01ACA43D48 for ; Sun, 16 Oct 2005 04:40:29 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id 40so399066nzk for ; Sat, 15 Oct 2005 21:40:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:to:subject:date:mime-version:content-type:x-mailer:x-mimeole:thread-index:from:message-id; b=NVPIiTeWT3ZPbRRGOiuAO5KnqlpucxdFa16TptRzXN9s51MOkMfh1v7KbVby9g8A8Y+m/9hngeQORaZPSYG44aytNjFm+z0yg4xbqi619/Kyg7qcrlIpEnEnCoV5C9MbVhV2O4Gf99Pzkbl3GGpui8vFCaaF11OwzSBwjQUEY9g= Received: by 10.36.224.33 with SMTP id w33mr1434761nzg; Sat, 15 Oct 2005 21:40:29 -0700 (PDT) Received: from p3 ( [67.160.7.98]) by mx.gmail.com with ESMTP id i5sm1381578nzi.2005.10.15.21.40.28; Sat, 15 Oct 2005 21:40:29 -0700 (PDT) To: Date: Sat, 15 Oct 2005 21:39:27 -0700 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcXSC5cwmpGi6yMdQ0iFLrnBszCsuA== From: Stephen Major Message-ID: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 04:40:30 -0000 It has come to my attention that there are quite a few local exploits circling around in the private sector for GID Games. Several of the games have vanilla stack overflows in them which can lead to elevation of privileges if successfully exploited. From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 04:47:13 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E16F16A420 for ; Sun, 16 Oct 2005 04:47:13 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA8BC43D46 for ; Sun, 16 Oct 2005 04:47:12 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id C91AA1A3C19; Sat, 15 Oct 2005 21:47:12 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 47A6351214; Sun, 16 Oct 2005 00:47:12 -0400 (EDT) Date: Sun, 16 Oct 2005 00:47:12 -0400 From: Kris Kennaway To: Stephen Major Message-ID: <20051016044712.GA27867@xor.obsecurity.org> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline In-Reply-To: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 04:47:13 -0000 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: > It has come to my attention that there are quite a few local exploits > circling around in the private sector for GID Games. >=20 > =20 >=20 > Several of the games have vanilla stack overflows in them which can lead = to > elevation of privileges if successfully exploited. Big deal..that's why they're setgid games (which can only write to game data files) and not setuid anything important :-) Kris --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDUdtPWry0BWjoQKURAhLOAKC86UoxVK6i2FNrYtAE0f43cJguawCgsNkT 6yv1RwkvOYoo0l3qblPyyBY= =1dJk -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 08:15:26 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24F9616A41F for ; Sun, 16 Oct 2005 08:15:26 +0000 (GMT) (envelope-from mat@mat.cc) Received: from plouf.absolight.net (plouf.absolight.net [193.30.224.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id C904543D49 for ; Sun, 16 Oct 2005 08:15:25 +0000 (GMT) (envelope-from mat@mat.cc) Date: Sun, 16 Oct 2005 10:15:23 +0200 From: Mathieu Arnold To: Kris Kennaway , Stephen Major Message-ID: <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> In-Reply-To: <20051016044712.GA27867@xor.obsecurity.org> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> <20051016044712.GA27867@xor.obsecurity.org> X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Mailman-Approved-At: Sun, 16 Oct 2005 08:20:13 +0000 Cc: freebsd-security@freebsd.org Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 08:15:26 -0000 +-le 16/10/2005 00:47 -0400, Kris Kennaway =E9crivait : | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: |> It has come to my attention that there are quite a few local exploits |> circling around in the private sector for GID Games. |>=20 |> =20 |>=20 |> Several of the games have vanilla stack overflows in them which can lead = to |> elevation of privileges if successfully exploited. |=20 | Big deal..that's why they're setgid games (which can only write to | game data files) and not setuid anything important :-) It means that I can change my own score to something better, that's very important :-) --=20 Mathieu Arnold From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 08:22:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D377316A41F for ; Sun, 16 Oct 2005 08:22:15 +0000 (GMT) (envelope-from smajor@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DA8143D48 for ; Sun, 16 Oct 2005 08:22:15 +0000 (GMT) (envelope-from smajor@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so694410nzo for ; Sun, 16 Oct 2005 01:22:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-mailer:in-reply-to:x-mimeole:thread-index:from:message-id; b=jxvxLAqUXfWs0rqc3Wudfwtq/lFvcFSDghuDj4IYxQ4WKME3luySEm/EBUTbML04fFHg/qBikFi4UYQjmk/DLKRP8oA/KEterRKcWZ7YquO1F5+amavG4bRLqqF3ABeROZUtHRoPeHGTb+/2qfBIkXOqFNuqtS4/uNwsNKJRel0= Received: by 10.37.15.26 with SMTP id s26mr970705nzi; Sun, 16 Oct 2005 01:22:14 -0700 (PDT) Received: from p3 ( [67.160.7.98]) by mx.gmail.com with ESMTP id 37sm884953nzf.2005.10.16.01.22.13; Sun, 16 Oct 2005 01:22:14 -0700 (PDT) To: "'Mathieu Arnold'" , "'Kris Kennaway'" Date: Sun, 16 Oct 2005 01:21:13 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcXSKcMu3XpBNGeqRLmjV49KVsw5SAAAG6fQ From: Stephen Major Message-ID: <43520db6.74a03918.7133.ffffc4ec@mx.gmail.com> Cc: freebsd-security@freebsd.org Subject: RE: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 08:22:15 -0000 Heh, was not familiar with it. I heard there were underground exploits, = I had no idea of the severity so I posted it here to hear feedback, so as = long as there is nothing to worry about cool. -----Original Message----- From: Mathieu Arnold [mailto:mat@mat.cc]=20 Sent: Sunday, October 16, 2005 1:15 AM To: Kris Kennaway; Stephen Major Cc: freebsd-security@freebsd.org Subject: Re: GID Games Exploits +-le 16/10/2005 00:47 -0400, Kris Kennaway =E9crivait : | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: |> It has come to my attention that there are quite a few local exploits |> circling around in the private sector for GID Games. |>=20 |> =20 |>=20 |> Several of the games have vanilla stack overflows in them which can = lead to |> elevation of privileges if successfully exploited. |=20 | Big deal..that's why they're setgid games (which can only write to | game data files) and not setuid anything important :-) It means that I can change my own score to something better, that's very important :-) --=20 Mathieu Arnold From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 08:53:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A6F116A41F for ; Sun, 16 Oct 2005 08:53:23 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from adicia.telenet-ops.be (adicia.telenet-ops.be [195.130.132.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 918CA43D49 for ; Sun, 16 Oct 2005 08:53:22 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by adicia.telenet-ops.be (Postfix) with SMTP id 18BFF38165; Sun, 16 Oct 2005 10:53:21 +0200 (CEST) Received: from intranet.devbox.be (d54C304FE.access.telenet.be [84.195.4.254]) by adicia.telenet-ops.be (Postfix) with ESMTP id CCC0B38145; Sun, 16 Oct 2005 10:53:20 +0200 (CEST) Received: from intranet.devbox.be (localhost [127.0.0.1]) by intranet.devbox.be (8.13.3/8.13.3) with ESMTP id j9G8rKCi013160; Sun, 16 Oct 2005 10:53:20 +0200 (CEST) Received: (from jimmy@localhost) by intranet.devbox.be (8.13.3/8.13.3/Submit) id j9G8rJSD011822; Sun, 16 Oct 2005 10:53:19 +0200 (CEST) Date: Sun, 16 Oct 2005 10:53:19 +0200 From: Jimmy Scott To: Mathieu Arnold Message-ID: <20051016085319.GA11795@ada.devbox.be> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> <20051016044712.GA27867@xor.obsecurity.org> <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline In-Reply-To: <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> User-Agent: Mutt/1.4.2i X-PGP-KeyID: 48033D3D X-PGP-Fingerprint: 88A9 54A0 D143 A4F7 8ACA 154F 8032 D30C 4803 3D3D X-PGP-Key: http://pub.devbox.be/misc/pgp.jimmy.asc Cc: freebsd-security@freebsd.org, Stephen Major , Kris Kennaway Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 08:53:23 -0000 --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2005 at 10:15:23AM +0200, Mathieu Arnold wrote: >=20 > +-le 16/10/2005 00:47 -0400, Kris Kennaway =E9crivait : > | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: > |> It has come to my attention that there are quite a few local exploits > |> circling around in the private sector for GID Games. > |>=20 > |> =20 > |>=20 > |> Several of the games have vanilla stack overflows in them which can le= ad to > |> elevation of privileges if successfully exploited. > |=20 > | Big deal..that's why they're setgid games (which can only write to > | game data files) and not setuid anything important :-) >=20 > It means that I can change my own score to something better, that's very > important :-) No ! It means you could access directory trees where your own group would not have access to, for example on freeshell.org: [sdf] ~> ls -al /usr/pkg/bin/perl = =20 -rwx---r-x 2 root users 22246 Aug 7 11:16 /usr/pkg/bin/perl Groups are frequently used for negative permissions, because ACL's would be overkill or not possible on the filesystem in question. >=20 > --=20 > Mathieu Arnold > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 >=20 --=20 People usually get what's coming to them ... unless it's been mailed. --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (OpenBSD) iD8DBQFDUhT/gDLTDEgDPT0RAmy6AJ48mB+5l0YOqy8n74ekrOu48LUH0gCfVO05 Oap7AOGwLASpQBXrnTy92LQ= =hwk2 -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO-- From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 09:04:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D534316A41F for ; Sun, 16 Oct 2005 09:04:47 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C76443D48 for ; Sun, 16 Oct 2005 09:04:47 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 7B2BD1A3C1C; Sun, 16 Oct 2005 02:04:47 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 448E3511FD; Sun, 16 Oct 2005 05:04:46 -0400 (EDT) Date: Sun, 16 Oct 2005 05:04:45 -0400 From: Kris Kennaway To: Jimmy Scott Message-ID: <20051016090445.GA7572@xor.obsecurity.org> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> <20051016044712.GA27867@xor.obsecurity.org> <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> <20051016085319.GA11795@ada.devbox.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline In-Reply-To: <20051016085319.GA11795@ada.devbox.be> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org, Kris Kennaway , Mathieu Arnold , Stephen Major Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 09:04:47 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2005 at 10:53:19AM +0200, Jimmy Scott wrote: > On Sun, Oct 16, 2005 at 10:15:23AM +0200, Mathieu Arnold wrote: > >=20 > > +-le 16/10/2005 00:47 -0400, Kris Kennaway ?crivait : > > | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: > > |> It has come to my attention that there are quite a few local exploits > > |> circling around in the private sector for GID Games. > > |>=20 > > |> =20 > > |>=20 > > |> Several of the games have vanilla stack overflows in them which can = lead to > > |> elevation of privileges if successfully exploited. > > |=20 > > | Big deal..that's why they're setgid games (which can only write to > > | game data files) and not setuid anything important :-) > >=20 > > It means that I can change my own score to something better, that's very > > important :-) >=20 > No ! It means you could access directory trees where your own group > would not have access to, for example on freeshell.org: >=20 > [sdf] ~> ls -al /usr/pkg/bin/perl = =20 > -rwx---r-x 2 root users 22246 Aug 7 11:16 /usr/pkg/bin/perl >=20 > Groups are frequently used for negative permissions, because ACL's would > be overkill or not possible on the filesystem in question. It's not overkill when the alternative is a security model that is too fragile or limited to handle your needs. Unprivileged users/groups like 'nobody' and 'games' are supposed to be unprivileged, not have extra privileges that normal users don't get, which is the case in the above misuse of groups. The solution is not to give those entities extra privileges: either use ACLs, or don't install games since they violate your intended security policy. Kris --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDUhetWry0BWjoQKURAj7SAJ4hO/kv/YpLsdEAS6Dz6oleVCX8SwCg+jvB mVl5mONeFNN0CJtaFSqacoI= =d/Ak -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 09:06:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A056216A41F for ; Sun, 16 Oct 2005 09:06:51 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49A0443D48 for ; Sun, 16 Oct 2005 09:06:51 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd5mr5so.prod.shaw.ca (pd5mr5so-qfe3.prod.shaw.ca [10.0.141.181]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IOG0004R3ZEUO60@l-daemon> for freebsd-security@freebsd.org; Sun, 16 Oct 2005 03:06:50 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd5mr5so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IOG00EUN3ZEHY90@pd5mr5so.prod.shaw.ca> for freebsd-security@freebsd.org; Sun, 16 Oct 2005 03:06:50 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IOG00K2E3ZE5Y@l-daemon> for freebsd-security@freebsd.org; Sun, 16 Oct 2005 03:06:50 -0600 (MDT) Date: Sun, 16 Oct 2005 02:06:49 -0700 From: Colin Percival In-reply-to: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> To: Stephen Major Message-id: <43521829.80109@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.92.1.0 References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 09:06:51 -0000 Stephen Major wrote: > It has come to my attention that there are quite a few local exploits > circling around in the private sector for GID Games. > > Several of the games have vanilla stack overflows in them which can lead to > elevation of privileges if successfully exploited. As Kris commented, the games group doesn't normally have any significant privileges, so we don't consider bugs of this sort to be major security problems (it's not really an _elevation_ of privileges to become gid games). On the other hand, these are certainly bugs which should get fixed. If you have any details about these, please forward them to secteam@freebsd.org so that we can investigate. Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 09:58:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50C7B16A41F for ; Sun, 16 Oct 2005 09:58:37 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from asia.telenet-ops.be (asia.telenet-ops.be [195.130.137.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 937CA43D48 for ; Sun, 16 Oct 2005 09:58:36 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by asia.telenet-ops.be (Postfix) with SMTP id 6D66338282; Sun, 16 Oct 2005 11:58:35 +0200 (CEST) Received: from intranet.devbox.be (d54C304FE.access.telenet.be [84.195.4.254]) by asia.telenet-ops.be (Postfix) with ESMTP id F2E1E38287; Sun, 16 Oct 2005 11:58:34 +0200 (CEST) Received: from intranet.devbox.be (localhost [127.0.0.1]) by intranet.devbox.be (8.13.3/8.13.3) with ESMTP id j9G9wYwl021413; Sun, 16 Oct 2005 11:58:34 +0200 (CEST) Received: (from jimmy@localhost) by intranet.devbox.be (8.13.3/8.13.3/Submit) id j9G9wYkH004177; Sun, 16 Oct 2005 11:58:34 +0200 (CEST) Date: Sun, 16 Oct 2005 11:58:34 +0200 From: Jimmy Scott To: Kris Kennaway Message-ID: <20051016095834.GA29631@ada.devbox.be> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> <20051016044712.GA27867@xor.obsecurity.org> <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> <20051016085319.GA11795@ada.devbox.be> <20051016090445.GA7572@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <20051016090445.GA7572@xor.obsecurity.org> User-Agent: Mutt/1.4.2i X-PGP-KeyID: 48033D3D X-PGP-Fingerprint: 88A9 54A0 D143 A4F7 8ACA 154F 8032 D30C 4803 3D3D X-PGP-Key: http://pub.devbox.be/misc/pgp.jimmy.asc Cc: freebsd-security@freebsd.org, Mathieu Arnold , Stephen Major Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 09:58:37 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2005 at 05:04:45AM -0400, Kris Kennaway wrote: >=20 > On Sun, Oct 16, 2005 at 10:53:19AM +0200, Jimmy Scott wrote: > > On Sun, Oct 16, 2005 at 10:15:23AM +0200, Mathieu Arnold wrote: > > >=20 > > > +-le 16/10/2005 00:47 -0400, Kris Kennaway ?crivait : > > > | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: > > > |> It has come to my attention that there are quite a few local explo= its > > > |> circling around in the private sector for GID Games. > > > |>=20 > > > |> =20 > > > |>=20 > > > |> Several of the games have vanilla stack overflows in them which ca= n lead to > > > |> elevation of privileges if successfully exploited. > > > |=20 > > > | Big deal..that's why they're setgid games (which can only write to > > > | game data files) and not setuid anything important :-) > > >=20 > > > It means that I can change my own score to something better, that's v= ery > > > important :-) > >=20 > > No ! It means you could access directory trees where your own group > > would not have access to, for example on freeshell.org: > >=20 > > [sdf] ~> ls -al /usr/pkg/bin/perl = =20 > > -rwx---r-x 2 root users 22246 Aug 7 11:16 /usr/pkg/bin/perl > >=20 > > Groups are frequently used for negative permissions, because ACL's would > > be overkill or not possible on the filesystem in question. >=20 > It's not overkill when the alternative is a security model that is too > fragile or limited to handle your needs. Unprivileged users/groups > like 'nobody' and 'games' are supposed to be unprivileged, not have > extra privileges that normal users don't get, which is the case in the > above misuse of groups. >=20 I agree this is not a good practice at all, but it is a lot used in environments where there are clients with no ACL support yet. Or you don't want the extra ACL support for one directory (and are aware of these risks, but people aren't; which is explained later). My point of view is "you don't have ACL's available", which is still the default as I remember. > The solution is not to give those entities extra privileges: either > use ACLs, or don't install games since they violate your intended > security policy. >=20 Your solution is correct, but it is not documented in the handbook or the security(7) manpage as I can remember, correct me if I'm wrong. > Kris --=20 People usually get what's coming to them ... unless it's been mailed. --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (OpenBSD) iD8DBQFDUiRKgDLTDEgDPT0RAgZ+AJ9D7upjB6Ie2CQ3mM4Vd8H7m6BOuwCaAtpA ZmjtaS1KTM8xheqlpRvh9wE= =bm0h -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--