SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Spider (game) Vendors:   Woods, Donald R. et al
Spider Linux Game Buffer Overflows Let Local Users Gain 'games' Group Privileges
SecurityTracker Alert ID:  1007702
SecurityTracker URL:  http://securitytracker.com/id/1007702
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 14 2003
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 1.1
Description:   ZetaLABs (Zone-H Research Laboratories) reported two buffer overflow vulnerabilities in the 'spider' game for Linux systems. A local user can obtain 'games' group privileges.

A heap overflow is reported in 'util.c' in the remove_newlines() function. A local user can set a specially crafted value for the HOME environment variable to trigger the overflow and execute arbitrary code.

A buffer overflow vulnerability is reported in 'vx_ui.c' in the spider_defaults_objects_initialize() function. A local user can set a specially crafted value for the OPENWINHOME or XVIEWHOME environment variables to trigger an overflow and execute arbitrary code.

It is reported that the code will run with set group id (setgid) 'games' group privileges.

Impact:   A local user can execute arbitrary code with 'games' group privileges.
Solution:   No solution was available at the time of this entry.

An unofficial patch is available at:

http://www.zone-h.org/download/file=4941/

Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  ZH2003-27SA (security advisory): multiple overflows in spider



ZH2003-27SA (security advisory): multiple overflows in spider

Published: 14 september 2003
Name: spider
Affected Versions: 1.1 (probably others)
Issue: Local buffer overflow - local attacker can obtain "gid=games" privileges
Author: ZetaLABs (Zone-H Research Laboratories)

Description
***********

ZetaLABs (Zone-H Research Laboratories) has discovered multiple overflows in the
game spider, an application contained in the Debian GNU/Linux distribution.

Details
*******

There have been discovered 2 overflows: a heap overflow and a buffer overflow.
1) The first one is a heap overflow. We can see the vulnerable code in the
"util.c" file:

char    *
remove_newlines(str)
char    *str;
{
char    *newstr;
char    *n;
extern char     *getenv();
         /* pad it generously to provide for tilde expansion */
         n = newstr = (char *)calloc((unsigned)(strlen(str) + 256), 1);
[...]
         /* tilde expansion */
         if (*str == '~')        {
                 /* user */
                 if (*(str + 1) == '/')  {
                         (void)strcpy(newstr, getenv("HOME")); /* strcpy()
unchecked */
[...]

We can see that the calloc() functions allocate a standard amount of memory, so
if we put in the HOME environment variable more than 256+length of str bytes, it
will occour the overflow.

2) The second one is a buffer overflow. We can see the vulnerable code in the
"vx_ui.c" file:

spider_defaults_objects *
spider_defaults_objects_initialize(ip, owner)
         spider_window1_objects  *ip;
         Xv_opaque       owner;
{
         spider_defaults_objects *obj=ip->defaults;
         char buf1[256];
[...]
                 char *helphome;
                 extern char *getenv();
                 if (((helphome = getenv("OPENWINHOME")) ||
                      (helphome = getenv("XVIEWHOME"))) &&
                      (helphome != (char *)NULL)) {
                         sprintf(buf1,"%s/lib/help/spider",helphome); /*
unchecked sprintf() */
[...]

There's a buffer (buf1) that can contain 256 bytes. It is enough to insert more
than 256-16 ("/lib/help/spider") in the OPENWINHOME or in XVIEWHOME environment
variables to cause the overflow.

Both vulnerabilities can be exploited by a local attacker to gain "gid=games"
privileges.

Solution
*********

It's possible to download a simple patch here:
http://www.zone-h.org/download/file=4941/

Suggestions
************

Patch the game with the proposed patch.

---
ZetaLABs - Zone-H Research Laboratories

Thanks to c0wboy - 0x333 Outsiders Security Labs (www.0x333.org) for supporting
us

--
Original advisory here: http://www.zone-h.org/en/advisories/read/id=3049/
--

Astharot
-- 
http://www.zone-h.org - astharot@zone-h.org
PGP Key: http://www.gife.org/astharot.asc

Linux User #292132



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC