SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Liquid War Vendors:   Mauduit, Christian
Liquid War HOME Environment Variable Overflow Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1007713
SecurityTracker URL:  http://securitytracker.com/id/1007713
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 16 2003
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 5.4.5
Description:   ZetaLABs (Zone-H Research Laboratories) reported a buffer overflow vulnerability in the Liquid War game software. A local user can gain 'games' group privileges on the system.

It is reported that the set_path() function in 'startup.c' performs some unsafe string copy functions. A local user can set the HOME environment variable to a specially crafted value that is longer than 1000 characters to trigger a buffer overflow and execute arbitrary code with 'games' group privileges.

Impact:   A local user can execute arbitrary code with 'games' group privileges.
Solution:   No solution was available at the time of this entry.

An unofficial patch is available at:

http://www.zone-h.org/download/file=4943

[Editor's note: It appears that the code has changed in the most recent version (5.5.9) to include protection against this particular buffer overflow.]

Vendor URL:  www.ufoot.org/liquidwar/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  ZH2003-28SA (security advisory): buffer overflow in liquidwar


ZH2003-28SA (security advisory): buffer overflow in liquidwar

Published: 14 september 2003
Name: liquidwar
Affected Versions: 5.4.5 (probably others)
Issue: Local buffer overflow - local attacker can obtain "gid=games" privileges
Author: ZetaLABs (Zone-H Research Laboratories)

Description
***********

ZetaLABs (Zone-H Research Laboratories) has discovered a buffer overflow in the
game spider, an application contained in the Debian GNU/Linux distribution.

Details
*******

We can see the vulnerable code here:
#define STARTUP_MAX_PATH_LENGTH           1000
[...]
char STARTUP_CFG_PATH[STARTUP_MAX_PATH_LENGTH];
[...]
static void set_path (void)
{
  char home_path[512];
  char *home_env;
  if (exist_argument_value (IDENT_CFG))
      strcpy(STARTUP_CFG_PATH,get_argument_str (IDENT_CFG));
  else
     {
     #ifdef ALLEGRO_UNIX
          home_env=getenv("HOME");
          strcpy(home_path,home_env); /* unchecked strcpy() */
          strcat(home_path,"/");
     #else
          home_env="";
          strcpy(home_path,home_env); /* unchecked strcpy() but not dangerous */
     #endif
      strcpy(STARTUP_CFG_PATH,home_path); /* unchecked strcpy() */
      strcat(STARTUP_CFG_PATH,DEFAULT_CFG_PATH);
     }
This vulnerability can be exploited by a local attacker to execute arbitrary
code with gid=games privileges.

Solution
*********
It's possible to download a simple patch here:
http://www.zone-h.org/download/file=4943

Suggestions
************
Patch the game with the proposed patch.

---
ZetaLABs - Zone-H Research Laboratories


--
Link of the advisory: http://www.zone-h.org/en/advisories/read/id=3059/
--


Astharot
-- 
http://www.zone-h.org - astharot@zone-h.org
PGP Key: http://www.gife.org/astharot.asc

Linux User #292132


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC