cxhextris overflow

Summary
Description:Standard overflow
Author:Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Compromise:Local users can obtain uid=games privileges! This allows them to cause chaos by changing the high score table or trojaning various games, etc.
Vulnerable Systems:At least RedHat Linux 5.0
Date:25 April 1998
Details


Date: Sat, 25 Apr 1998 14:36:26 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Minor hole in "cxhextris" on certain Linux.

Hi,

[This is a minor problem]

On my RedHat Linux systems, cxhextris has a binary called "xhextris", and
it runs under the euid "games".

-rwsr-xr-x   1 games    games       49688 Apr 25 14:02 /usr/X11R6/bin/xhextris

A bug in this program will allow local users to subvert the user "games",
perhaps using this to then hide their activities (or cheat in the high
score table!! :-)

Details:

The name of the player can optionally be taken from the environment
variable "XHEXNAME":

xio.c:    if ((name = (char *)getenv("XHEXNAME")) == NULL)

This can obviously be of an arbitrary length.

When a high score is achieved:

strcpy(high_scores[i].name, name);

This overflows a buffer on the stack of the function main().

At the same time this is fixed, the following should also be fixed:

xio.c: #ifdef LOG
       strcpy(log_message,log_name);

log_name can come from getenv("USER") on admittedly rare circumstances.

Cheers
Chris

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]