local exploitable overflow in rogue/FreeBSD

From: psj (stanojr@iserver.sk)
Date: 09/28/02 

Date: Sat, 28 Sep 2002 20:57:18 +0200
From: psj <stanojr@iserver.sk>
To: freebsd-security@freebsd.org

VULNERABLE APPLICATION: rogue in FreeBSD (tested on 4.6-RELEASE)

ABOUT APPLICATION: rogue is a fantasy game which is indirectly setgid games

IMPACT: low/medium

EXPLOITATION:
we can be egid=games, with this we can:
1. edit score files in /var/games
2. /var/games use as a storage directory (typicaly when we are limited by quota)

SOLUTION:
1. disabling rogue game via /etc/dm.conf (mad rogueists KILL YOU)
2. fix in the source code

ABOUT BUG:
At first about dm (from man page):
Dm is a program used to regulate game playing. Dm expects to be invoked
with the name of a game that a user wishes to play. This is done by cre-
ating symbolic links to dm, in the directory /usr/games for all of the
regulated games. The actual binaries for these games should be placed in
a ``hidden'' directory, /usr/games/hide, that may only be accessed by the
dm program. Dm determines if the requested game is available and, if so,
runs it. The file /etc/dm.conf controls the conditions under which games
may be run.

/usr/games/dm is of course setgid games

Other games which don`t needed games euid revoke privileges after start.
Games which needed games euid after start open the score file and revoke privileges.
Rogue don`t revoke privileges after start, it run egid games.
Vulnerability is in restoring saved game. There is a function read_string in restore function in save.c file
which don`t check the size of variable. We can rewrite an address in GOT (as in my attached exploit).
 
ATTACHMENTS: instant-rogue-exp.sh - instant exploit to get egid=games

AUTHOR: stanojr@iserver.sk
ps: sorry, i know, my english is very bad :]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message