[23857] in bugtraq
Clanlib overflow / Super Methane Brothers overflow
daemon@ATHENA.MIT.EDU (KF)
Tue Jan 15 18:16:39 2002
Message-ID: <3C437E29.9020004@snosoft.com>
Date: Mon, 14 Jan 2002 19:56:09 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Charles stayed up all night and found a hole in Eterm so I felt
obligated to stay up
all night and find something else wrong on my box too. In doing so I
found an overflow
in a game included with Mandrake 8.1 called Super Methane Brothers.
$HOME=<bof here>
then run /usr/games/methane. Inturn that caused me to find an overflow
in ClanLib. So thanks
for staying up late last night core!
This was all tested against some rpms made from the mandrake src with
"rpm --rebuild"
libclanlib0-0.4.4-28mdk
libclanlib0-magick-0.4.4-28mdk
clanlib-0.4.4-28mdk
libclanlib0-gl-0.4.4-28mdk
libclanlib0-png-0.4.4-28mdk
libclanlib0-devel-0.4.4-28mdk
libclanlib1-0.5.1-4mdk
libclanlib0-mikmod-0.4.4-28mdk
It looks like the buffer overflow in /usr/games/methane is a library
Overflow in clanlib
instead. I checked some other clanlib based games to proove this.
[root@linuxppc root]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc root]# /usr/games/methane
Super Methane Brothers
Licensed using the GNU General Public License Version 2
http://www.methane.fsnet.co.uk
...
This game requires ClanLib (v0.5.0) and Hermes (v1.3.3)
http://clanlib.org/hermes
(High Scores written to /var/lib/games/methanescores)
Segmentation fault
[root@linuxppc root]# ls -al /usr/games/methane
-rwxr-sr-x 1 root games 1978056 Nov 13 06:36 /usr/games/methane*
This was default on my intel Mandrake 8.1 box. I overwrote edx and ecx
with my own data.
I don't do intel so I didn't try any further. I got the packages for ppc
and it was no fun
to play with so I decided to look at some other clanlib based games to
at least verify the
library issue. I think the below link has info on the function causing
the problem.
http://dark.x.dtu.dk/~sphair/cvs/Libs/ClanLib-0.5/Documentation/Reference/html/CL_SetupDisplay.html#2325
Here are some more examples of the clanlib overflow.
StarWar-0.0.1d.tar.gz
[root@linuxppc StarWar-0.0.1]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc StarWar-0.0.1]# src/starwar
Segmentation fault (core dumped)
This is the same place methane cored on my intel box...
#0 0x0fc81b78 in strcpy () from /lib/libc.so.6
(gdb) bt
#0 0x0fc81b78 in strcpy () from /lib/libc.so.6
#1 0x0ff89554 in FileConfig::LocalConfigFile () from
/usr/lib/libclanCore.so.0
#2 0x0ff87014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0
#3 0x0ff83b28 in CL_SetupCore::init_display () from
/usr/lib/libclanCore.so.0
#4 0x1000d37c in InitDisplayApp::main ()
#5 0x0ff85270 in main () from /usr/lib/libclanCore.so.0
#6 0x0fc1eb90 in __libc_start_main () from /lib/libc.so.6
kwirk-0.0.16.tar.gz
[root@linuxppc Kwirk]# ./kwirk
Segmentation fault (core dumped)
(gdb)
#0 0x0fd36b78 in strcpy () from /lib/libc.so.6
#1 0x0fef0554 in FileConfig::LocalConfigFile () from
/usr/lib/libclanCore.so.0
#2 0x0feee014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0
#3 0x0feeab28 in CL_SetupCore::init_display () from
/usr/lib/libclanCore.so.0
#4 0x1001e8f4 in TKwirk::init_modules (this=0x10054104) at kwirk.cpp:24
#5 0x0feec1fc in main () from /usr/lib/libclanCore.so.0
#6 0x0fcd3b90 in __libc_start_main () from /lib/libc.so.6
clankanoid-0.1.tgz
[root@linuxppc clanka]# ./clankanoid
Segmentation fault (core dumped)
I think you get the idea.
I would Imagine about any game on http://www.clanlib.org/links.html
would have this issue also.
Im sure a few clanlib games are suid like the one that came with
Mandrake 8.1 (methane)
-KF
