Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
NetBSD hack(6) Buffer Overflows Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1022485|
SecurityTracker URL: http://securitytracker.com/id/1022485
(Links to External Site)
Date: Jul 1 2009
Execution of arbitrary code via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.0, 4.0.1, 5.0|
A vulnerability was reported in NetBSD hack(6). A local user can obtain elevated privileges on the target system.|
A local user can trigger a buffer overflow to execute arbitrary code on the target system with "games" group privileges.
The user can set a specially crafted PATH environment variable value to trigger a stack overflow in the gethdate() function.
The user can set a specially crafted GENOCIDED environment variable value to trigger a buffer overflow in the main() function when in wizard mode.
David A. Holland reported this vulnerability.
A local user can obtain "games" group privileges on the target system.|
The vendor has issued a fix.|
The vendor's advisory is available at:
Vendor URL: ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-007.txt.asc (Links to External Site)
Source Message Contents
Date: Wed, 1 Jul 2009 01:05:53 -0400|
Subject: NetBSD hack game
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2009-007
Topic: Buffer overflows in hack(6)
Version: NetBSD-current: source prior to June 30, 2009
NetBSD 5.0: affected
NetBSD 4.0.1: affected
NetBSD 4.0: affected
Severity: Unprivileged local users can gain access to "games" group
Fixed: NetBSD-current: June 29, 2009
NetBSD-5 branch: June 29, 2009
(5.1 will include the fix)
NetBSD-5-0 branch: June 29, 2009
(5.0.1 will include the fix)
NetBSD-4 branch: June 29, 2009
(4.1 will include the fix)
NetBSD-4-0 branch: June 29, 2009
(4.0.2 will include the fix)
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Hack, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores and allow saved games
to be stored where they cannot be tampered with. Buffer handling
shortcomings allow arbitrary code execution with the privilege of the
"games" group, which can then be used to attack other users playing
The gethdate() function contains a stack-based buffer overflow
vulnerability that can be exploited by setting the PATH environment
The main() function contains a data-segment-based buffer overflow bug
attackable in wizard mode by the GENOCIDED environment variable; this
may be exploitable via function pointers elsewhere in the data segment.
Multiple other string handling weaknesses exist that may or may not be
attackable and may or may not be exploitable.
Solutions and Workarounds
Removing the setgid bit from /usr/games/hack is a simple and effective
workaround, although hack will not work properly without it.
For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing hack. Fixed sources may
be obtained from the NetBSD CVS repository.
Systems running NetBSD-current dated from before 2009-06-30
should be upgraded to NetBSD-current dated 2009-06-30 or later.
* NetBSD 5.0_STABLE and 5.0.0_PATCH:
The binary distribution of NetBSD 5.0 is vulnerable.
Systems running NetBSD 5.0 sources dated from before
2009-06-30 should be upgraded from NetBSD 5.0 sources
dated 2009-06-30 or later.
NetBSD 5.0.1 and 5.1 will include the fix.
* NetBSD 4.0_STABLE and 4.0.1_PATCH:
The binary distribution of NetBSD 4.0 is vulnerable.
Systems running NetBSD 4.0 sources dated from before
2009-06-30 should be upgraded from NetBSD 4.0 sources
dated 2009-06-30 or later.
NetBSD 4.0.2 and 4.1 will include the fix.
* For all releases:
The following directories need to be updated from the
appropriate CVS branch:
To update from CVS, re-build, and re-install hack:
# cd src
# cvs update -d -P games/hack
# cd games/hack
# make USETOOLS=no cleandir obj
# make USETOOLS=no dependall install
This will select the fixes for the branch you have already
checked out in your source tree.
For more information on building (oriented towards rebuilding the
entire system, however) see:
David A. Holland found and fixed the problems.
2009-06-30 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2009-007.txt,v 1.1 2009/06/30 18:48:33 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
-----END PGP SIGNATURE-----
Go to the Top of This SecurityTracker Archive Page