[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2010-009: Privilege Handling Errors in larn
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2010-009
Topic: Privilege Handling Errors In larn
Version: NetBSD-current: source prior to February 3, 2008
NetBSD 5.0.2: not affected
NetBSD 5.0: not affected
NetBSD 4.0.1: not affected
NetBSD 4.0: affected
Severity: Unprivileged Local Users Can Gain Access To "games" Group
Fixed: NetBSD-current: Feb 3, 2008
NetBSD-4 branch: Feb 3, 2008 (4.1 would include the fix)
NetBSD-4-0 branch: Feb 3, 2008 (4.0.1 includes the fix)
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Larn, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores. Properly, only
accesses to these objects should be made using the privileges of the
"games" group. However, due to improper privilege handling, the game
always runs with the privileges of the "games" group, opening up a
number of possible ways to allow an unprivileged user to gain improper
access to that group.
There is also an additional problem fixed by the same patch set: when
one wins larn, it sends the user junk mail. This junk mail is prepared
in insecure temporary files. It is likely impractical to use this to
attack another user who is playing larn; however, it might be possible
upon winning larn oneself to exploit it to gain access to the "games"
When games were changed from setuid to setgid (circa 1997) larn was
never updated to switch group IDs instead of user IDs. This meant that
when it tried to drop to a lower privilege level, nothing happened.
Thus the game always runs with access to the games group, and a number
of possible actions (most notably, writing out save files) are done
with access to the games group.
Save files can thus be written into /var/games, possibly overwriting
or damaging files belonging to other games. This creates the
possibility that ordinarily-harmless weaknesses in other games might
be exploited to gain a shell with access to group games. It also
allows denial of service against other games.
Larn also has the ability to start a sub-shell, but it always runs
/bin/csh, which under NetBSD refuses to start when setgid. It is
believed that this path is not exploitable.
Solutions and Workarounds
Removing the setgid bit from /usr/games/larn is a simple and effective
workaround, although larn will not work properly without it.
For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing larn.
The fixed sources may be obtained from the NetBSD CVS repository.
The fixes for this vulnerability are contained in the following file
revisions for each CVS branch:
CVS branch file revision
------------- ---------------- -----------
HEAD src/games/larn/bill.c 1.9
HEAD src/games/larn/header.h 1.18
HEAD src/games/larn/main.c 1.21
HEAD src/games/larn/scores.c 1.16
netbsd-4 src/games/larn/bill.c 184.108.40.206
netbsd-4 src/games/larn/header.h 220.127.116.11
netbsd-4 src/games/larn/main.c 18.104.22.168
netbsd-4 src/games/larn/scores.c 22.214.171.124
netbsd-4-0 src/games/larn/bill.c 126.96.36.199
netbsd-4-0 src/games/larn/header.h 188.8.131.52
netbsd-4-0 src/games/larn/main.c 184.108.40.206
netbsd-4-0 src/games/larn/scores.c 220.127.116.11
The following instructions briefly summarize how to update and
recompile larn. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)
To update from CVS, re-build, and re-install larn:
# cd src
# cvs update -d -P -r BRANCH FILES
# cd games/larn
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
For more information on building (oriented towards rebuilding the
entire system, however) see:
David A. Holland, who found and fixed the problem.
2010-10-21 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-009.txt,v 1.1 2010/10/21 09:02:57 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
-----END PGP SIGNATURE-----
Main Index |
Thread Index |