linux, säkerhet

11056785 2003-12-04 20:50 +0000 /83 rader/ Shaun Colley <shaunige@yahoo.co.uk>
Importerad: 2003-12-04 23:07 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30190>
Ärende: Linux 4inarow game multiple vulnerabilities.
------------------------------------------------------------
From: Shaun Colley <shaunige@yahoo.co.uk>
To: bugtraq@securityfocus.com
Message-ID: <20031204205021.93693.qmail@web25107.mail.ukl.yahoo.com>

~*~*~*~*~*~*~*
Introduction
~*~*~*~*~*~*~*

4inarow is a small network compatible Linux 4-in-a-row
clone for two player.  There's a few bugs in the
client program which may allow an attacker to execute
commands or run arbitrary code via a buffer overflow. 
4inarow is not SUID or SGID 'games' by default, but
many administrators enable the SGID 'games' bit on any
games they install for convenience, as most other
games are SGID.


~*~*~*~*~*~*~*
Bugs
~*~*~*~*~*~*~*


1) Changing PATH variable to execute commands.

The 4inarow client program executes the 'clear'
command when it calls the function 'print_game()' upon
connection to the game server ('4rowserver').
Assuming that the 4inarow client program (called
'4inarow') is SGID 'games' (or any other group for
that matter), an attacker could change the PATH
environmental variable, resulting in execution of a
different program by the name of 'clear'.  If an
attacker changed the PATH environmental variable to a
path holding a script or binary by the file name of
'clear', arbitrary commands could be executed.


2) Executing arbitrary code via a buffer overflow in
the client program.

Assuming the 4inarow client program has been set to
SGID 'games' by the root user, privilege execution
could occur via a buffer overflow.  The client program
calls the 'sscanf()' library function to blindly copy
a potentially large string into a small character
array without bounds checking, allowing potentially
for an attacker to cause a buffer overflow, and thus
executing arbitrary code.  Here's a small PoC shell
script for the bug.

-----------START HERE----------
./4rowserver &
echo `perl -e 'print "a"x20000'` | ./4inarow localhost
; ./4inarow localhost
-----------START HERE----------

The shell script should produce a segmentation fault. 
In the core file, you can see that certain registers
are overwritten by 0x61, hex for a.


~*~*~*~*~*~*~*
Fix
~*~*~*~*~*~*~*

A workaround for this is to not set SGID games on the
game. :)

'chmod -S 4inarow' if the client is SGID.



Thank you for your time.
Shaun.



________________________________________________________________________
Download Yahoo! Messenger now for a chance to win Live At Knebworth
DVDs http://www.yahoo.co.uk/robbiewilliams
(11056785) /Shaun Colley <shaunige@yahoo.co.uk>/(Ombruten)