Crafty Game Stack Overflow & Exploit

From: Angelo Rosiello (angelo.rosiello_at_katamail.com)
Date: 03/16/04

  • Next message: FraMe: "Fw: Bilbao Method Exposed"
    Date: 15 Mar 2004 23:36:02 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

                       Copyright Rosiello Security
                          http://www.rosiello.org

    ADVISORY: http://www.rosiello.org/en/read_bugs.php?18
    BACKGROUND: by SecurityTracker
    EXPLOIT: http://www.rosiello.org/archivio/crafty.zip

    Impact: Execution of arbitrary code via local system, User access via local system
    Version(s): 19.3 and prior versions
    Description: A vulnerability was reported in the Crafty game. A local user may be able to gain elevated privileges on the target system, depending on the configuration.

    It is reported that 'crafty.bin' does not properly check the bounds of user-supplied command line data. A local user can supply specially crafted values to trigger a buffer overflow and execute arbitrary code with the privileges of Crafty. On some Linux distributions, Crafty is installed with set group id (setgid) 'games' group privileges.

    Steve Kemp reported this vulnerability.

    Impact: A local user can execute arbitrary code with the privileges of Crafty, which may be 'games' group privileges on some distributions.

    Solution: It appears that no upstream fix was available at the time of this entry. The vendor notes that Crafty is not installed with set user id (setuid) or set group id (setgid) privileges, so there would be no security impact. However, some Linux distributions may install with setuid or setgid privileges.

    Vendor URL: www.limunltd.com/crafty/ (Links to External Site)
    Cause: Boundary error
    Underlying OS: Linux (Any), UNIX (Any)

    The exploit contains a bruteforce written in perl to get run time the right offset of the machine.


  • Next message: FraMe: "Fw: Bilbao Method Exposed"

    Relevant Pages

    • Local privilege escalation vulnerability in Cisco VPN client
      ... binaries to be executed in the context of Local System. ... Cisco's VPN client for Windows installs a Windows service, ... effectively escalates users' privileges, thereby compromising the host. ... The views expressed in this email do not necessarily reflect NGS policy. ...
      (Bugtraq)
    • [VulnWatch] Local privilege escalation vulnerability in Cisco VPN client
      ... binaries to be executed in the context of Local System. ... Cisco's VPN client for Windows installs a Windows service, ... effectively escalates users' privileges, thereby compromising the host. ... The views expressed in this email do not necessarily reflect NGS policy. ...
      (VulnWatch)
    • [VulnWatch] Local privilege escalation vulnerability in Cisco VPN client
      ... binaries to be executed in the context of Local System. ... Cisco's VPN client for Windows installs a Windows service, ... effectively escalates users' privileges, thereby compromising the host. ... The views expressed in this email do not necessarily reflect NGS policy. ...
      (VulnWatch)
    • Change process user for app in VB 6
      ... I`m writing VB aplication that requires to change it`s process user after ... Token function requires some additional privileges so... ... I`ve already done it by using service running under Local System and ... restarting my app under local system user, but it requires user to have ...
      (microsoft.public.vb.winapi)