[15451] in bugtraq
RHL 6.2 xconq package - overflows yield gid games
daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Fri Jun 23 17:43:39 2000
Message-Id: <20000623040649.7139.qmail@securityfocus.com>
Date: Fri, 23 Jun 2000 04:06:49 -0000
Reply-To: Stan Bubrouski <satan@FASTDIAL.NET>
From: Stan Bubrouski <satan@FASTDIAL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
There is a game named xconq that installs two files in
/usr/games which are sgid games. The problem is that cconq
and xconq both contain buffer overflows and consistantly
lack bounds-checking in many needed places. For example
look at the number of functions used for strings handling
that lack bounds-checking (keeping in mind the programmer
did hardly any bounds-checking in general anyway):
function name | number of times it is used in xconq/cconq
-----------------------------------------------------------
strcpy 161
strncpy 15
strcat 336
strncat 4
vsprintf 22
vsnprintf 0
sprintf 493
snprintf 0
The little chart right there should make clear the problem
xconq has. Here is an example of why it is so easy for
regular users to gain ability to execute commands as group
games:
cmdline.c:if (!empty_string(getenv("USER"))) {
cmdline.c: strcpy(default_player_spec, getenv("USER"));
cmdline.c:} else if (!empty_string(getenv("DISPLAY"))) {
cmdline.c: strcat(default_player_spec, getenv("DISPLAY"));
Mistakes like this were made throughout the code and thus
the sgid bit should be removed from /usr/games/xconq and
/usr/games/cconq to prevent regular users from gaining
elevated privilages. cconq is the worst offender xconq
source at least drops privilages early, but takes them
back to open the scorefile, which wouldn't you know can
be a user-supplied name...
-Stan Bubrouski
