Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   Maelstrom Vendors:   Lantinga, Sam
Maelstrom Game Temporary File Symbolic Link Flaw Lets Local Users Cause Files on the System to Be Overwritten
SecurityTracker Alert ID:  1003317
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 22 2002
Original Entry Date:  Jan 22 2002
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0.1
Description:   A temporary file symbolic link vulnerability was reported in the Maelstrom game. A local user may be able to cause files to be overwritten on the system.

It is reported that Maelstrom uses a predictable temporary file name and does not check for existing symbolic links (symlinks) when creating the temporary file. A local user can create a symlink from the temporary file name to another critical file on the system. Then, when another user executes Maelstrom, the linked file will be overwritten with the privileges of the other user.

Impact:   A local user can cause certain files to be overwritten when another user runs the Maelstrom game.
Solution:   The vendor has fixed the vulnerability in the current version (3.0.5), available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Red Hat Linux 7.1

Message History:   None.

 Source Message Contents

Subject:  Maelstrom 1.4.3 abartity file overwrite

Program: Maelstrom
Version: 1.4.3
Distribution: RedHat 7.1

When trying to break stuff, ltracing Maelstrom showed the following:

fopen("/tmp/f", "w")                              = 0x08081f58
fprintf(0x08081f58, "Main program = %s\n", "Maelstrom") = 25
fclose(0x08081f58)                                = 0

Which made we wonder if it followed symbolic links, by doing

[andrewg@blackhole andrewg]$ rm -f /tmp/f; (umask 077; echo bla >  /tmp/bla; \
ln -s /tmp/bla f)

at which point I ran it again, and when I did cat /tmp/bla, I got

Main program = Maelstrom


You can overwrite arbitrary files with the permissions of the user who ran

Of course, this won't work on systems that have linking restrictions in /tmp.

Fixing it

Remove the code that does the above.



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC