local exploitable overflow in rogue/FreeBSD

[stanojr <stanojr () iserver sk>]

VULNERABLE APPLICATION: rogue in FreeBSD (tested on 4.6-RELEASE)

ABOUT APPLICATION: rogue is a fantasy game which is indirectly setgid games

IMPACT: low/medium

EXPLOITATION:
we can be egid=games, with this we can:
1. edit score files in /var/games
2. /var/games use as a storage directory (typicaly when we are limited by quota)

SOLUTION:
1. disabling rogue game via /etc/dm.conf (mad rogueists KILL YOU)
2. fix in the source code

ABOUT BUG:
At first about dm (from man page):
Dm is a program used to regulate game playing.  Dm expects to be invoked
with the name of a game that a user wishes to play.  This is done by cre-
ating symbolic links to dm, in the directory /usr/games for all of the
regulated games.  The actual binaries for these games should be placed in
a ``hidden'' directory, /usr/games/hide, that may only be accessed by the
dm program.  Dm determines if the requested game is available and, if so,
runs it.  The file /etc/dm.conf controls the conditions under which games
may be run.

/usr/games/dm is of course setgid games

Other games which don`t needed games euid revoke privileges after start.
Games which needed games euid after start open the score file and revoke privileges.
Rogue don`t revoke privileges after start, it run egid games.
Vulnerability is in restoring saved game. There is a function read_string in restore function in save.c file
which don`t check the size of variable. We can rewrite an address in GOT (as in my attached exploit). 
 
ATTACHMENTS: instant-rogue-exp.sh - instant exploit to get egid=games

AUTHOR: stanojr () iserver sk
ps: sorry, i know, my english is very bad :]

Attachment: instant-rogue-exp.sh
Description: