|Author:||Chris Evans <chris@FERRET.LMH.OX.AC.UK>|
|Compromise:||Local users can obtain uid=games privileges! This allows them to cause chaos by changing the high score table or trojaning various games, etc.|
|Vulnerable Systems:||At least RedHat Linux 5.0|
|Date:||25 April 1998|
Date: Sat, 25 Apr 1998 14:36:26 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Subject: Minor hole in "cxhextris" on certain Linux.
[This is a minor problem]
On my RedHat Linux systems, cxhextris has a binary called "xhextris", and
it runs under the euid "games".
-rwsr-xr-x 1 games games 49688 Apr 25 14:02 /usr/X11R6/bin/xhextris
A bug in this program will allow local users to subvert the user "games",
perhaps using this to then hide their activities (or cheat in the high
score table!! :-)
The name of the player can optionally be taken from the environment
xio.c: if ((name = (char *)getenv("XHEXNAME")) == NULL)
This can obviously be of an arbitrary length.
When a high score is achieved:
This overflows a buffer on the stack of the function main().
At the same time this is fixed, the following should also be fixed:
xio.c: #ifdef LOG
log_name can come from getenv("USER") on admittedly rare circumstances.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: