5233492 2000-06-27 22:57 /81 rader/ Postmaster Mottagare: Bugtraq (import) <11455> Ärende: Re: RHL 6.2 xconq package - overflows yield gid games ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Message-ID: <s9589279.073@gwmail> Date: Tue, 27 Jun 2000 11:39:21 -0500 Reply-To: Mark Tinberg <mtinberg@MADISON.TEC.WI.US> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Mark Tinberg <mtinberg@MADISON.TEC.WI.US> X-To: satan@fastdial.net To: BUGTRAQ@SECURITYFOCUS.COM Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id WAA10841 If a systems installs with write access for group games to /usr/games, /usr/lib/games, /var/lib/games that is a serious error. As your work with xconq shows, games are not, and will probably never be, audited for security problems. For this reason and the fact that any user can run software that has write access, I have always considered this directory world writable. Maybe this is more similar to email, I can send a message to annother user, or myself, and write to areas of the disk that I normally wouldn't have access to (Greatly simplified: dd from /dev/random, pipe through uuencode, pipe through MUA, fill up mailspool directory) In short this is _not_ a problem of xconq, or any other game, systemwide scorefiles (which by nature are world writable, even if you have to go through a SGID executable to write to them) should not be trusted. Software like games which will never be audited should not be trusted either. Systems that allow write access to library directories for anyone (even if they have to go through a crappy SGID app) are in the wrong. >>> Satan <satan@fastdial.net> 06/27/00 10:24AM >>> First off /var/lib/games is not world-writable like /tmp or /var/tmp so unless score files are mode 666 (some are) regular users usually cannot write to them. The ability to write to score files give the ability to exploit problems in other games, like say causing overflows or such by modify a score file that the user would not otherwise have been able to write to. It also allows someone to write to any file which is writable by group games. This all may not sound important, but say you were using dm, you could use this to modify and read the dm config stuff and use any games and modify files and such which dm would usually disallow. It's not a big deal, but getting access to any privilaged account (and FYI it is considered privlaged because depending on distributions it allows write access to /var/lib/games, /usr/games, and /usr/lib/games) is considered a bad thing. And xconq is configured differently in different linux distributions so the scope of this problem could very greatly between Linux distributions and versions. Unfortunately Red Hat is the only system I had access to so I am not aware of the full scope of this problem on other systems. -Stan Mark Tinberg wrote: > Hmm, offhand I would say that this isn't really much of a problem. > The games group is not priviliged and is merely used for the scorefiles > of various games, to keep them from being easily edited. /var/games > should be no more priviliged than /tmp or /var/tmp, which are also world > writable directories. > > Exploiting this would be no more fruitful than becomming "nobody", > GID "games" should not have any more access (probably considerably > less) than the user who is running the program. > > If I have missed something obvious here, please let me know. > > Mark Tinberg > mtinberg@madison.tec.wi.us > Remember: Wherever you go, there you are! (5233492) ------------------------------------------(Ombruten)