Bugtraq mailing list archives
Re: LinCity Buffer Overflow
From: jgoerzen () SOUTHWIND NET (John Goerzen)
Date: Tue, 17 Mar 1998 19:35:02 -0600
"T. Freak" <tfreak () JADED NET> writes:
Greetings, While a buffer overflow is blantenly obvious in the code, I don't think it is very dangerous. Observe.
Just a little history on this issue. Herbert Xu reported a bug #14553 to Debian's bug tracking system on November 5, 1997 stating that on line 848 of main.cxx, the s3 variable was too small to hold the home directory for him, which was large enough to apparently overflow the buffer. I (the Debian maintainer of the lincity packages) subsequently patched it to set s3 to (2 * PATH_MAX), unaware of the full extent of the problem. On 22 Feb 1998, I modified Debian's package to remove the setuid bit from any installed lincity executables, suspicious of just this sort of issue (that was Debian package 1.09-3, for those of you keeping score at home). Therefore, any Debian system using Debian's lincity package, version 1.09-3 or later, is not vulnerable to root attack from this bug. It seems that there is no trivial patch to this program, however. There are 17 separate occurances of code of the sort strcpy(s,getenv("HOME")) and, as far as I can tell from a quick examination, not ONE of them is copying into a large enough buffer. Additionally, there may well be many other occurances of such dangerous code with other strcpy calls, any one of which could potentially lead to a root compromise if lincity is installed setuid. Therefore, I reccommend immediately performing one of the following: 1. If you are using Debian hamm/2.0, upgrade immediately to lincity 1.09-3. 2. Otherwise, run: chmod a-s `which lincity` On Linux FHS-compliant distributions, this would be the same as: chmod a-s /usr/games/lincity chmod a-s will immediately remove any setuid bits, negating any root attack. However, the program could still be induced to dump core fairly easily I suspect, although I am not sure that such a thing is of any real danger when running as a normal unpriviledged uid. BTW, on a side note, there were also some bugs in engine.cxx relating to type conversion. Debian's package contains Herbert Xu's patch. That patch can be found via anonymous ftp at: ftp://ftp.debian.org/debian/hamm/main/source/games, filename is lincity*.diff.gz. (Note that this diff contains a lot of things not relevant outside of Debian as well; however, a quick search for engine.cxx and main.cxx out to yield the specific diffs that would be useful for any user of lincity.) To summarize, then: Debian 1.3.1 (lincity 1.03-2 or 1.09-1) is vulnerable to this issue, but only if lincity-svga is installed (find out with dpkg -s lincity-svga) and is setuid root. Debian hamm/pre-2.0 is not vulnerable unless running an outdated package from before February 22, 1998. Any hand-installed version from the author's makefile IS vulnerable, unless the setuid bit was explicitly removed. I do not know of the status of other distributions that may or may not include this game. Regards, John Goerzen -- John Goerzen Southwind Internet Access, Inc. E-mail: Business, jgoerzen () southwind net; Personal, jgoerzen () complete org Computer Science Dept., Wichita State University, jgoerzen () cs twsu edu Developer, Debian GNU/Linux <http://www.debian.org>
Current thread:
- Ascend Kill II - C version Aleph One (Mar 16)
- Ascend Filter Setup Mark Schaefer (Mar 16)
- Bash: Security problem during compilation time. Alexandre Stervinou (Mar 16)
- Another day, another race - lynx 2.7.1 Michal Zalewski (Mar 17)
- Ascend Kill II - perl version Kit Knox (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Thomas Roessler (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Theo de Raadt (Mar 17)
- Re: Another day, another race - lynx 2.7.1 Daniel Reed (Mar 17)
- Re: LinCity Buffer Overflow John Goerzen (Mar 17)
- Very, very ugly remote lynx 2.7.1 hole Michal Zalewski (Mar 17)
- Re: Very, very ugly remote lynx 2.7.1 hole Lumpy Lynx (Mar 17)