From owner-freebsd-bugs Thu Oct 10 0:30: 4 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FCE537B401 for ; Thu, 10 Oct 2002 00:30:02 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4E7C43EA3 for ; Thu, 10 Oct 2002 00:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g9A7U1Co042965 for ; Thu, 10 Oct 2002 00:30:01 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g9A7U1iX042964; Thu, 10 Oct 2002 00:30:01 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8F5B37B401 for ; Thu, 10 Oct 2002 00:23:43 -0700 (PDT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id A323843E97 for ; Thu, 10 Oct 2002 00:23:43 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g9A7Nh7R098781 for ; Thu, 10 Oct 2002 00:23:43 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.6/8.12.6/Submit) id g9A7NhPs098780; Thu, 10 Oct 2002 00:23:43 -0700 (PDT) Message-Id: <200210100723.g9A7NhPs098780@www.freebsd.org> Date: Thu, 10 Oct 2002 00:23:43 -0700 (PDT) From: pavel stano To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/43886: local exploitable overflow in rogue Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43886 >Category: misc >Synopsis: local exploitable overflow in rogue >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 10 00:30:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: pavel stano >Release: 4.6-RELEASE >Organization: none >Environment: >Description: VULNERABLE APPLICATION: rogue in FreeBSD (tested on 4.6-RELEASE) ABOUT APPLICATION: rogue is a fantasy game which is indirectly setgid games IMPACT: low/medium EXPLOITATION: we can be egid=games, with this we can: 1. edit score files in /var/games 2. /var/games use as a storage directory (typicaly when we are limited by quota) SOLUTION: 1. disabling rogue game via /etc/dm.conf (mad rogueists KILL YOU) 2. fix in the source code ABOUT BUG: At first about dm (from man page): Dm is a program used to regulate game playing. Dm expects to be invoked with the name of a game that a user wishes to play. This is done by cre- ating symbolic links to dm, in the directory /usr/games for all of the regulated games. The actual binaries for these games should be placed in a ``hidden'' directory, /usr/games/hide, that may only be accessed by the dm program. Dm determines if the requested game is available and, if so, runs it. The file /etc/dm.conf controls the conditions under which games may be run. /usr/games/dm is of course setgid games Other games which don`t needed games euid revoke privileges after start. Games which needed games euid after start open the score file and revoke privileges. Rogue don`t revoke privileges after start, it run egid games. Vulnerability is in restoring saved game. There is a function read_string in restore function in save.c file which don`t check the size of variable. We can rewrite an address in GOT (as in my attached exploit). ATTACHMENTS: instant-rogue-exp.sh - instant exploit to get egid=games exploit is here:http://www.iserver.sk/~stanojr/instant-rogue-exp.sh AUTHOR: stanojr@iserver.sk ps: sorry, i know, my english is very bad :] >How-To-Repeat: >Fix: check netbsd sources, they fix it >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message