linux, säkerhet

7878774 2002-01-24 14:42 +0100  /152 rader/ Bernhard Kuemel <darsie@gmx.at>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-24  21:42  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bernhard@rainbow.hn.org
Mottagare: Bugtraq (import) <20665>
Ärende: gnuchess buffer overflow vulnerabilty
------------------------------------------------------------
From: Bernhard Kuemel <darsie@gmx.at>
To: bugtraq@securityfocus.com
Message-ID: <3C500F30.A4E56744@gmx.at>

-------- Original Message --------
Subject: buffer overflow vulnerability
Date: Tue, 22 Jan 2002 05:00:49 +0100
From: Bernhard Kuemel <darsie@gmx.at>
Reply-To: bernhard@rainbow.hn.org
To: bug-gnu-chess@gnu.org

Hi bug-gnu-chess!

gnuchess contains a buffer overflow vulnerability that may lead to
arbitrary command execution if an attacker is permitted to send
commands to gnuchess remotely via the internet.

----------------------------------------------------
bernhard@bb:/usr/src/gnuchess$ gdb ./gnuchess
(gdb) run
Starting program: /usr/src/gnuchess/./gnuchess 
GNU Chess v5.02

Transposition table:  Entries=1024K Size=32768K
Pawn hash table: Entries=384K Size=18432K
White (1) : AAAAAAAAAAAAAAA1234567890

Program received signal SIGSEGV, Segmentation fault.
0x35343332 in ?? ()
-----------------------------------------------------

In file cmd.c:

    65  void InputCmd ()
    66 
/*************************************************************************
    67   *
    68   *  This is the main user command interface driver.
    69   *
    70
***********************************************************************
   477     /* everything else must be a move */
or e.g. malicious input
   478     else
   479     {
   480        ptr = ValidateMove (cmd);

In file move.c:

   500  leaf * ValidateMove (char *s)
   501 
/*************************************************************************
   502   *
   503   *  This routine takes a string and check to see if it is a
legal move.
   504   *  Note.  At the moment, we accept 2 types of moves notation.
   505   *  1.  e2e4 format.   2. SAN format. (e4)
   506   *
   507  
***********************************************************************
   508  {
   509     short f, t, side, rank, file, fileto;
   510     short piece, kount;

This is the reason for the overflow:
   511     char mvstr[10], *p;
                      ^^
   512     BitBoard b;
   513     leaf *n1, *n2;
   514  

   524     p = mvstr;
   525     do
   526     {
   527        if (*s != 'x' && *s != '+' && *s != '=')

The overflow happens here:
   528           *p++ = *s; 
                 ^^^^^^^^^^
   529     } while (*s++ != '\0');

You may eliminate the vulnerability by defining

   511     char mvstr[64], *p;

since you limit the input to 64 bytes in cmd.c:

   120          if (fgets (inputstr, 64, stdin) && inputstr[0])
   121              inputstr[strlen(inputstr)-1] = '\000';

Please tell me when you will release a fixed version so I can announce
the vulnerability in the bugtraq mailinglist. Please respond within
reasonable time or I will publish the vulnerablity before you release
a fixed version.

Bernhard



-------- Original Message --------
Subject: Re: buffer overflow vulnerability
Date: Tue, 22 Jan 2002 11:31:21 +0000
From: Simon Waters <Simon@wretched.demon.co.uk>
Organization: Eighth Layer Limited
To: bernhard@rainbow.hn.org
References: <3C4CE3F1.B7AD5001@gmx.at>

Bernhard Kuemel wrote:
> 
> gnuchess contains a buffer overflow vulnerability that may lead to
> arbitrary command execution if an attacker is permitted to send
> commands to gnuchess remotely via the internet.

This specific problem was identified by the current maintainer
and is fixed in the 5.03beta release which is available on the
GNU ftp site.

The GNU chess 5 code base was not written with security as a
prime goal as it is intended to be run locally on the users own
computer and does not provide a network interface. Other
problems of this type are thought to exist in the 5.03beta code
base.

Since GNUchess has no Internet interface built-in, people
wishing to connect GNUchess to the Internet should look at the
features of the interface they use to protect GNU chess from
abuse. The maintainer uses "Zippy", from Tim Mann's xboard
(www.tim-mann.org), which password protects the ability to issue
commands remotely (Disabled by default), and appropriate
settings in FICS (freechess.org), to prevent inappropriate data
being supplied to the GNUchess executable. FICS itself is quite
restrictive on what data may be entered.

The development version of GNUchess includes substantial minor
technical corrections of the code over and above 5.03beta
already (Thanks largely to lclint, and the many contributors who
gave freely of their knowledge and time) which may be of
interest to people concerned by this buffer overflow.

Thank you for your report,

 Simon

Please send correspondence on this matter to;
bug-gnu-chess@gnu.org

Please include the main body of this response in any Bugtraq
release. Please send a copy of any such announcement to the
gnu.chess newsgroup, the rec.games.chess.computer newsgroup may
also be interested.
(7878774) /Bernhard Kuemel <darsie@gmx.at>/(Ombruten)