Bugtraq mailing list archives
RHL 6.2 xconq package - overflows yield gid games
From: satan () FASTDIAL NET (Stan Bubrouski)
Date: Fri, 23 Jun 2000 04:06:49 -0000
There is a game named xconq that installs two files in /usr/games which are sgid games. The problem is that cconq and xconq both contain buffer overflows and consistantly lack bounds-checking in many needed places. For example look at the number of functions used for strings handling that lack bounds-checking (keeping in mind the programmer did hardly any bounds-checking in general anyway): function name | number of times it is used in xconq/cconq ----------------------------------------------------------- strcpy 161 strncpy 15 strcat 336 strncat 4 vsprintf 22 vsnprintf 0 sprintf 493 snprintf 0 The little chart right there should make clear the problem xconq has. Here is an example of why it is so easy for regular users to gain ability to execute commands as group games: cmdline.c:if (!empty_string(getenv("USER"))) { cmdline.c: strcpy(default_player_spec, getenv("USER")); cmdline.c:} else if (!empty_string(getenv("DISPLAY"))) { cmdline.c: strcat(default_player_spec, getenv("DISPLAY")); Mistakes like this were made throughout the code and thus the sgid bit should be removed from /usr/games/xconq and /usr/games/cconq to prevent regular users from gaining elevated privilages. cconq is the worst offender xconq source at least drops privilages early, but takes them back to open the scorefile, which wouldn't you know can be a user-supplied name... -Stan Bubrouski
Current thread:
- RHL 6.2 xconq package - overflows yield gid games Stan Bubrouski (Jun 22)
- <Possible follow-ups>
- Re: RHL 6.2 xconq package - overflows yield gid games Mark Tinberg (Jun 27)
- Re: RHL 6.2 xconq package - overflows yield gid games Kris Kennaway (Jun 27)