SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   4inarow Vendors:   Corrado, Davide
4inarow Buffer Overflow May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1008395
SecurityTracker URL:  http://securitytracker.com/id/1008395
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 5 2003
Impact:   Execution of arbitrary code via local system, User access via local system


Description:   Some vulnerabilities were reported in the '4inarow' game. A local user can gain elevated privileges on some systems.

It is reported that a local user can set the PATH variable to cause the game to execute an alternate version of the 'clear' command.

It is also reported that a local user can trigger a buffer overflow to execute arbitrary code. A demonstration exploit command (that should cause the process to crash) is provided:

./4rowserver &
echo `perl -e 'print "a"x20000'` | ./4inarow localhost
; ./4inarow localhost

If the binary is configured with set group id (setgid) 'games' group privileges, the local user can gain 'games' group privileges.

The report indicates that the default installation is not setgid.

Impact:   A local user can execute arbitrary code, potentially with 'games' group privileges (depending on the system installation).
Solution:   No solution was available at the time of this entry.

The author has indicated that as a workaround, you can 'chmod -S 4inarow' if the client is configured with setgid privileges.

Vendor URL:  utenti.lycos.it/konrad/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  Linux 4inarow game multiple vulnerabilities.


~*~*~*~*~*~*~*
Introduction
~*~*~*~*~*~*~*

4inarow is a small network compatible Linux 4-in-a-row
clone for two player.  There's a few bugs in the
client program which may allow an attacker to execute
commands or run arbitrary code via a buffer overflow. 
4inarow is not SUID or SGID 'games' by default, but
many administrators enable the SGID 'games' bit on any
games they install for convenience, as most other
games are SGID.


~*~*~*~*~*~*~*
Bugs
~*~*~*~*~*~*~*


1) Changing PATH variable to execute commands.

The 4inarow client program executes the 'clear'
command when it calls the function 'print_game()' upon
connection to the game server ('4rowserver').
Assuming that the 4inarow client program (called
'4inarow') is SGID 'games' (or any other group for
that matter), an attacker could change the PATH
environmental variable, resulting in execution of a
different program by the name of 'clear'.  If an
attacker changed the PATH environmental variable to a
path holding a script or binary by the file name of
'clear', arbitrary commands could be executed.


2) Executing arbitrary code via a buffer overflow in
the client program.

Assuming the 4inarow client program has been set to
SGID 'games' by the root user, privilege execution
could occur via a buffer overflow.  The client program
calls the 'sscanf()' library function to blindly copy
a potentially large string into a small character
array without bounds checking, allowing potentially
for an attacker to cause a buffer overflow, and thus
executing arbitrary code.  Here's a small PoC shell
script for the bug.

-----------START HERE----------
./4rowserver &
echo `perl -e 'print "a"x20000'` | ./4inarow localhost
; ./4inarow localhost
-----------START HERE----------

The shell script should produce a segmentation fault. 
In the core file, you can see that certain registers
are overwritten by 0x61, hex for a.


~*~*~*~*~*~*~*
Fix
~*~*~*~*~*~*~*

A workaround for this is to not set SGID games on the
game. :)

'chmod -S 4inarow' if the client is SGID.



Thank you for your time.
Shaun.



________________________________________________________________________
Download Yahoo! Messenger now for a chance to win Live At Knebworth DVDs
http://www.yahoo.co.uk/robbiewilliams

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC