5224202 2000-06-23 23:27 /48 rader/ Postmaster Mottagare: Bugtraq (import) <11402> Ärende: RHL 6.2 xconq package - overflows yield gid games ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Message-ID: <20000623040649.7139.qmail@securityfocus.com> Date: Fri, 23 Jun 2000 04:06:49 -0000 Reply-To: Stan Bubrouski <satan@FASTDIAL.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Stan Bubrouski <satan@FASTDIAL.NET> To: BUGTRAQ@SECURITYFOCUS.COM There is a game named xconq that installs two files in /usr/games which are sgid games. The problem is that cconq and xconq both contain buffer overflows and consistantly lack bounds-checking in many needed places. For example look at the number of functions used for strings handling that lack bounds-checking (keeping in mind the programmer did hardly any bounds-checking in general anyway): function name | number of times it is used in xconq/cconq ----------------------------------------------------------- strcpy 161 strncpy 15 strcat 336 strncat 4 vsprintf 22 vsnprintf 0 sprintf 493 snprintf 0 The little chart right there should make clear the problem xconq has. Here is an example of why it is so easy for regular users to gain ability to execute commands as group games: cmdline.c:if (!empty_string(getenv("USER"))) { cmdline.c: strcpy(default_player_spec, getenv("USER")); cmdline.c:} else if (!empty_string(getenv("DISPLAY"))) { cmdline.c: strcat(default_player_spec, getenv("DISPLAY")); Mistakes like this were made throughout the code and thus the sgid bit should be removed from /usr/games/xconq and /usr/games/cconq to prevent regular users from gaining elevated privilages. cconq is the worst offender xconq source at least drops privilages early, but takes them back to open the scorefile, which wouldn't you know can be a user-supplied name... -Stan Bubrouski (5224202) ------------------------------------------