Liquid War HOME Environment Variable Overflow Lets Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1007713
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 16 2003
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Advisory: Zone-H
|
Version(s): 5.4.5
|
Description: ZetaLABs (Zone-H Research Laboratories) reported a buffer overflow vulnerability in the Liquid War game software. A local user can gain 'games' group privileges on the system.
It is reported that the set_path() function in 'startup.c' performs some unsafe string copy functions. A local user can set the
HOME environment variable to a specially crafted value that is longer than 1000 characters to trigger a buffer overflow and execute
arbitrary code with 'games' group privileges.
|
Impact: A local user can execute arbitrary code with 'games' group privileges.
|
Solution: No solution was available at the time of this entry.
An unofficial patch is available at:
http://www.zone-h.org/download/file=4943
[Editor's
note: It appears that the code has changed in the most recent version (5.5.9) to include protection against this particular buffer
overflow.]
|
Vendor URL: www.ufoot.org/liquidwar/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Astharot <secfoc@email.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 15 Sep 2003 23:28:20 +0200
From: Astharot <secfoc@email.it>
Subject: ZH2003-28SA (security advisory): buffer overflow in liquidwar
|
ZH2003-28SA (security advisory): buffer overflow in liquidwar
Published: 14 september 2003
Name: liquidwar
Affected Versions: 5.4.5 (probably others)
Issue: Local buffer overflow - local attacker can obtain "gid=games" privileges
Author: ZetaLABs (Zone-H Research Laboratories)
Description
***********
ZetaLABs (Zone-H Research Laboratories) has discovered a buffer overflow in the
game spider, an application contained in the Debian GNU/Linux distribution.
Details
*******
We can see the vulnerable code here:
#define STARTUP_MAX_PATH_LENGTH 1000
[...]
char STARTUP_CFG_PATH[STARTUP_MAX_PATH_LENGTH];
[...]
static void set_path (void)
char home_path[512];
char *home_env;
if (exist_argument_value (IDENT_CFG))
strcpy(STARTUP_CFG_PATH,get_argument_str (IDENT_CFG));
else
{
#ifdef ALLEGRO_UNIX
home_env=getenv("HOME");
strcpy(home_path,home_env); /* unchecked strcpy() */
strcat(home_path,"/");
#else
home_env="";
strcpy(home_path,home_env); /* unchecked strcpy() but not dangerous */
#endif
strcpy(STARTUP_CFG_PATH,home_path); /* unchecked strcpy() */
strcat(STARTUP_CFG_PATH,DEFAULT_CFG_PATH);
}
This vulnerability can be exploited by a local attacker to execute arbitrary
code with gid=games privileges.
Solution
*********
It's possible to download a simple patch here:
http://www.zone-h.org/download/file=4943
Suggestions
************
Patch the game with the proposed patch.
---
ZetaLABs - Zone-H Research Laboratories
--
Link of the advisory: http://www.zone-h.org/en/advisories/read/id=3059/
--
Astharot
--
http://www.zone-h.org - astharot@zone-h.org
PGP Key: http://www.gife.org/astharot.asc
Linux User #292132
|
|
