Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   XGalaga Vendors:   Rumsey, Joe
XGalaga Buffer Overflow May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1007081
SecurityTracker URL:
CVE Reference:   CVE-2003-0454   (Links to External Site)
Date:  Jun 29 2003
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 2.0
Description:   A buffer overflow vulnerability was reported in the XGalaga game. A local user may be able to execute arbitrary code with 'games' group privileges.

Steve Kemp reported that the software does not check the length of the HOME environment variable. A local user can set a specially crafted value for the variable to trigger a buffer overflow in 'highscore.c'. It may be possible to execute arbitrary code (but the author of the report was unable to confirm that). If arbitrary code execution can be achieved, the code will execute with 'games' group privileges.

A demonstration exploit is provided:

skx@hell:$ export HOME=`perl -e 'print "x" x 500'`

Impact:   A local user may be able to obtain 'games' group privileges.
Solution:   No upstream solution was available at the time of this entry.

An unoffical patch is available at:

Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 29 2003 (Debian Issues Fix) XGalaga Buffer Overflow May Let Local Users Gain Elevated Privileges
Debian has released a fix.

 Source Message Contents

Subject:  XGalaga bug

 > From: Steve Kemp
 > Subject: xgalaga: Buffer overflow potentially allows group games membership.
 > Date: Sun, 29 Dec 2002 14:20:27 +0000

 > Package: xgalaga
 > Version: 2.0.34-21

 >   The game `xgalaga` doesn't correctly check it's use of environmental
 > variables when trying to find a users home area.
 >   This is potentially exploitable - although I have to admit I havn't
 >  succeeded in exploiting it to date.
 >   This shell session demonstrates how the vulnerability may be
 >  triggered:
 >    skx@hell:$ export HOME=`perl -e 'print "x" x 500'`


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC