Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   Liquid War Vendors:   Mauduit, Christian
Liquid War HOME Environment Variable Overflow Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1007713
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 16 2003
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 5.4.5
Description:   ZetaLABs (Zone-H Research Laboratories) reported a buffer overflow vulnerability in the Liquid War game software. A local user can gain 'games' group privileges on the system.

It is reported that the set_path() function in 'startup.c' performs some unsafe string copy functions. A local user can set the HOME environment variable to a specially crafted value that is longer than 1000 characters to trigger a buffer overflow and execute arbitrary code with 'games' group privileges.

Impact:   A local user can execute arbitrary code with 'games' group privileges.
Solution:   No solution was available at the time of this entry.

An unofficial patch is available at:

[Editor's note: It appears that the code has changed in the most recent version (5.5.9) to include protection against this particular buffer overflow.]

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  ZH2003-28SA (security advisory): buffer overflow in liquidwar

ZH2003-28SA (security advisory): buffer overflow in liquidwar

Published: 14 september 2003
Name: liquidwar
Affected Versions: 5.4.5 (probably others)
Issue: Local buffer overflow - local attacker can obtain "gid=games" privileges
Author: ZetaLABs (Zone-H Research Laboratories)


ZetaLABs (Zone-H Research Laboratories) has discovered a buffer overflow in the
game spider, an application contained in the Debian GNU/Linux distribution.


We can see the vulnerable code here:
#define STARTUP_MAX_PATH_LENGTH           1000
static void set_path (void)
  char home_path[512];
  char *home_env;
  if (exist_argument_value (IDENT_CFG))
      strcpy(STARTUP_CFG_PATH,get_argument_str (IDENT_CFG));
     #ifdef ALLEGRO_UNIX
          strcpy(home_path,home_env); /* unchecked strcpy() */
          strcpy(home_path,home_env); /* unchecked strcpy() but not dangerous */
      strcpy(STARTUP_CFG_PATH,home_path); /* unchecked strcpy() */
This vulnerability can be exploited by a local attacker to execute arbitrary
code with gid=games privileges.

It's possible to download a simple patch here:

Patch the game with the proposed patch.

ZetaLABs - Zone-H Research Laboratories

Link of the advisory:

-- -
PGP Key:

Linux User #292132


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC