[6600] in bugtraq
Minor hole in "cxhextris" on certain Linux.
daemon@ATHENA.MIT.EDU (Chris Evans)
Sat Apr 25 13:57:19 1998
Date: Sat, 25 Apr 1998 14:36:26 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Hi,
[This is a minor problem]
On my RedHat Linux systems, cxhextris has a binary called "xhextris", and
it runs under the euid "games".
-rwsr-xr-x 1 games games 49688 Apr 25 14:02 /usr/X11R6/bin/xhextris
A bug in this program will allow local users to subvert the user "games",
perhaps using this to then hide their activities (or cheat in the high
score table!! :-)
Details:
The name of the player can optionally be taken from the environment
variable "XHEXNAME":
xio.c: if ((name = (char *)getenv("XHEXNAME")) == NULL)
This can obviously be of an arbitrary length.
When a high score is achieved:
strcpy(high_scores[i].name, name);
This overflows a buffer on the stack of the function main().
At the same time this is fixed, the following should also be fixed:
xio.c: #ifdef LOG
strcpy(log_message,log_name);
log_name can come from getenv("USER") on admittedly rare circumstances.
Cheers
Chris
