SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Crafty Vendors:   Hyatt, Robert M.
Crafty Game Command Line Buffer Overflows May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1009393
SecurityTracker URL:  http://securitytracker.com/id/1009393
CVE Reference:   CVE-2003-0612   (Links to External Site)
Date:  Mar 11 2004
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 19.3 and prior versions
Description:   A vulnerability was reported in the Crafty game. A local user may be able to gain elevated privileges on the target system, depending on the configuration.

It is reported that 'crafty.bin' does not properly check the bounds of user-supplied command line data. A local user can supply specially crafted values to trigger a buffer overflow and execute arbitrary code with the privileges of Crafty. On some Linux distributions, Crafty is installed with set group id (setgid) 'games' group privileges.

Steve Kemp reported this vulnerability.

Impact:   A local user can execute arbitrary code with the privileges of Crafty, which may be 'games' group privileges on some distributions.
Solution:   It appears that no upstream fix was available at the time of this entry. The vendor notes that Crafty is not installed with set user id (setuid) or set group id (setgid) privileges, so there would be no security impact. However, some Linux distributions may install with setuid or setgid privileges.
Vendor URL:  www.limunltd.com/crafty/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 12 2004 (Debian Issues Fix) Crafty Game Command Line Buffer Overflows May Let Local Users Gain Elevated Privileges
Debian has issued a fix.



 Source Message Contents

Subject:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203541


http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203541

From: Steve Kemp <skx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: crafty.bin locally exploitable to gain gid 'games'.
Date: Wed, 30 Jul 2003 20:15:57 +0100

Package: crafty
Version: 19.1-1
Severity: normal
Tags: security upstream patch



Intro
-----

   crafty is the strong chess program played on ICC.

   It installs a file 'crafty.bin' upon both Debian Stable, and Debian
  unstable as setgid games:


skx@hell:~$ ls -l /usr/games/crafty*
-rwxr-xr-x    1 root     root          384 Dec 17  2002 /usr/games/crafty
-rwxr-sr-x    1 root     games     1128712 Dec 17  2002 /usr/games/crafty.bin


Problems
--------

   The setgid file, crafty.bin, contains a pair of flaws in it's command
  line handling.

   Both flaws are essentially the same, and involve a lack of bounds checking
  on the arguments supplied by the user.
   Either of these flaws allow a malicious local user to gain group 'games'
  permissions.


   From main.c:2901
       else if (strstr(argv[i],"path")) {
         strcpy(buffer,argv[i]);
         result=Option(tree);
         if (result == 0)
           printf("ERROR \"%s\" is unknown command-line option\n",buffer);
         display=tree->pos;
       }


       main.c:2934
       if (argc > 1) {
       for (i=1;i<argc;i++) if (strcmp(argv[i],"c"))
	  if ((argv[i][0]<'0' || argv[i][0] > '9') &&
	     !strstr(argv[i],"path")) {
	    strcpy(buffer,argv[i]);
             result=Option(tree);
             if (result == 0)
              printf("ERROR \"%s\" is unknown command-line option\n",buffer);
           }
       }


Exploit
-------

   Sample exploit code for the first issue is available upon request,
  I've not included it here as it's not terribly interesting.


Fixes
-----

   The supplied diff, which has been compiled and tested, will close
  both these issues.


Steve
---
www.steve.org.uk

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC