On Fri, Mar 24, 2006 at 10:34:35AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> You guys (specially Steve) might find this advisory interesting:
> http://www.gentoo.org/security/en/glsa/glsa-200603-23.xml
Yes I saw that via a post to bugtraq (I think).
There was another one yesterday, or so, with a similar comment
about the BSD console tetris game.
> Basicly, it boils down to:
>
> 1- fscanf vulnerability when reading hi-scores in Nethack (and derivatives)
> 2- the 'games' group can write to the save file location and hi-score location
> 3- users can only run games if they are in group 'games'
>
> Consequently: if a user can write to the hi-score location he can write a
> modified file that exploits the fscanf() vuln and have other users playing
> the same game run arbitrary code.
Right.
> The funny thing is that this attack path is quite retorted, if a user can
> write to the save games area he can just do symlink attacks to other users
> through *their* probable save games locations. It's interesting why Gentoo
> says that this characteristic makes Nethack incompatible with their policy
> (don't other games save global stats or hi-score lists? [0])
I think even more basic than that: If the user is in the group
games they can write a malicious score file, such that arbitary
code is executed as user ... games.
Not an escelation of privileges at all!
> I find the full design in Gentoo (i.e. point '3') is flawed, it does not make
> sense to develop an OS restrict application types based on UNIX groups.
> Although they uphold it, see the discussion in the bug report at
> http://bugs.gentoo.org/show_bug.cgi?id=125902
I agree.
The limitation of allowing group games members to execute games
is utterly broken. The Debian approach of using setgid(games) is
much cleaner.
> What do you guys think?
I agree.
> [0] IMHO it doesn't make sense to store save games in a common global
> location.
> Save games should be saved in the *users* directory. Not only this is more
> secure (other users cannot modify your data) but it also makes it possible to
> run the same game in different systems (think of NFS-mounted $HOMEs)
I suggested the same thing in the games-devel alaioth group but
it seemed that people disagreed. Currently we have setgid(games)
just to save global high scores. There have been a lot of trivial
security issues in our games, and just dropping the global score
files will eliminate a whole class of advisories.
I'm kinda working through more game audits, but they get tedious
fast. So I'm mostly concentration on sid for them. Only a couple
of minor bugs reported so far, but they'll save us from having to
issue advisories in the future :)
Steve
--
|
