NetBSD Security Advisory 2009-007: Buffer overflows in hack(6)

To: NetBSD Announcements <netbsd-announce%NetBSD.org@localhost>
Subject: NetBSD Security Advisory 2009-007: Buffer overflows in hack(6)
From: NetBSD Security Officer <security-officer%NetBSD.org@localhost>
Date: Tue, 30 Jun 2009 21:52:12 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2009-007
                 =================================

Topic:          Buffer overflows in hack(6)

Version:        NetBSD-current: source prior to June 30, 2009
                NetBSD 5.0:             affected
                NetBSD 4.0.1:           affected
                NetBSD 4.0:             affected

Severity:       Unprivileged local users can gain access to "games" group

Fixed:          NetBSD-current:         June 29, 2009
                NetBSD-5 branch:        June 29, 2009
                        (5.1 will include the fix)
                NetBSD-5-0 branch:      June 29, 2009
                        (5.0.1 will include the fix)
                NetBSD-4 branch:        June 29, 2009
                        (4.1 will include the fix)
                NetBSD-4-0 branch:      June 29, 2009
                        (4.0.2 will include the fix)


Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Hack, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores and allow saved games
to be stored where they cannot be tampered with. Buffer handling
shortcomings allow arbitrary code execution with the privilege of the
"games" group, which can then be used to attack other users playing
games.


Technical Details
=================

The gethdate() function contains a stack-based buffer overflow
vulnerability that can be exploited by setting the PATH environment
variable.

The main() function contains a data-segment-based buffer overflow bug
attackable in wizard mode by the GENOCIDED environment variable; this
may be exploitable via function pointers elsewhere in the data segment.

Multiple other string handling weaknesses exist that may or may not be
attackable and may or may not be exploitable.


Solutions and Workarounds
=========================

Removing the setgid bit from /usr/games/hack is a simple and effective
workaround, although hack will not work properly without it.

For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing hack. Fixed sources may
be obtained from the NetBSD CVS repository.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-06-30
        should be upgraded to NetBSD-current dated 2009-06-30 or later.

* NetBSD 5.0_STABLE and 5.0.0_PATCH:

        The binary distribution of NetBSD 5.0 is vulnerable.

        Systems running NetBSD 5.0 sources dated from before
        2009-06-30 should be upgraded from NetBSD 5.0 sources
        dated 2009-06-30 or later.

        NetBSD 5.0.1 and 5.1 will include the fix.

* NetBSD 4.0_STABLE and 4.0.1_PATCH:

        The binary distribution of NetBSD 4.0 is vulnerable.

        Systems running NetBSD 4.0 sources dated from before
        2009-06-30 should be upgraded from NetBSD 4.0 sources
        dated 2009-06-30 or later.

        NetBSD 4.0.2 and 4.1 will include the fix.

* For all releases:

        The following directories need to be updated from the
        appropriate CVS branch:
                games/hack

        To update from CVS, re-build, and re-install hack:
                # cd src
                # cvs update -d -P games/hack
                # cd games/hack

                # make USETOOLS=no cleandir obj
                # make USETOOLS=no dependall install

        This will select the fixes for the branch you have already
        checked out in your source tree.


For more information on building (oriented towards rebuilding the
entire system, however) see:

   http://www.netbsd.org/guide/en/chap-build.html


Thanks To
=========

David A. Holland found and fixed the problems.


Revision History
================

        2009-06-30      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2009, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-007.txt,v 1.1 2009/06/30 18:48:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKSl6pAAoJEAZJc6xMSnBuvToP+gJN7pXD5M1Sd8/lG+bM5DQr
nxSAlOzww0gzIJPxvvkYNWooQM3wW2OdvqTrIiN6UMTtAXsuw4UFsnbiwUorj8rZ
XexgNO8hK5MyqebpsCwzH7Ofcip5yozBspBcE5bOVXQZcRKrUprvS+Zk9Q141ObV
NZ6qY2y9NjRE4lKzXMsxTLQHhFPMVTC+nG4rke4RrFIur11xdT1xIW59iuJExVTs
5eqFE/yOgmVondPCaln830beho3wHIha4obYXYq0+C2xbFzNvNu0+mAIKxkNhxel
902vLMHolzp664mSrKNxJwV2es3ii0NMMGlnGGecIsz+RedvizG2wcdEWCTumLEw
jIJY448FsI1a2GKHbOH5N/TieidHbEq81v8H0k2Kkw5B0GlwARsW8iCDVNeGpmKr
0F5Zqy2M0EvNfGykPw+Rd+vU7soid4JFJVlnGoEFt2BbhtMz7XlT8xovy4I4Sgp0
1klYEwB8Y8quipJnN9tmyAX3eVH73s0ycA4mjlSFtsvMZDTU0xr0znC1gaCcWtia
gfq1pLgyH1BNgg2TuAon2kGwON2T/FzSoJySSjujWq9LXLKj3ZEhqCRTmQ9m+cHr
jpI0Lx4gSxixKlH+ROv6Y/6bmc8+W0JUtHkUIkEtj/PeJ/GBVCBjEOzShCkvep6t
qYfYnSqAMzMWrCl6ARb5
=7nGK
-----END PGP SIGNATURE-----

Prev by Date: NetBSD Security Advisory 2009-006: Buffer overflows in ntp
Next by Date: NetBSD Security Advisory 2009-008: OpenSSL ASN1 parsing denial of service and CMS signature verification weakness
Previous by Thread: NetBSD Security Advisory 2009-006: Buffer overflows in ntp
Next by Thread: NetBSD Security Advisory 2009-008: OpenSSL ASN1 parsing denial of service and CMS signature verification weakness
Indexes:

Home | Main Index | Thread Index | Old Index