Minor hole in "cxhextris" on certain Linux.

From: Chris Evans (chrisat_private)
Date: Sat Apr 25 1998 - 06:36:26 PDT

Next message: Michal Zalewski: "pine/pico vt control characters bug"

Previous message: Chris Evans: "Re: smbmount problem?"
Next in thread: Jess Kitchen: "Re: Minor hole in "cxhextris" on certain Linux."
Reply: Jess Kitchen: "Re: Minor hole in "cxhextris" on certain Linux."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

[This is a minor problem]

On my RedHat Linux systems, cxhextris has a binary called "xhextris", and
it runs under the euid "games".

-rwsr-xr-x   1 games    games       49688 Apr 25 14:02 /usr/X11R6/bin/xhextris

A bug in this program will allow local users to subvert the user "games",
perhaps using this to then hide their activities (or cheat in the high
score table!! :-)

Details:

The name of the player can optionally be taken from the environment
variable "XHEXNAME":

xio.c:    if ((name = (char *)getenv("XHEXNAME")) == NULL)

This can obviously be of an arbitrary length.

When a high score is achieved:

strcpy(high_scores[i].name, name);

This overflows a buffer on the stack of the function main().

At the same time this is fixed, the following should also be fixed:

xio.c: #ifdef LOG
       strcpy(log_message,log_name);

log_name can come from getenv("USER") on admittedly rare circumstances.

Cheers
Chris

Next message: Michal Zalewski: "pine/pico vt control characters bug"
Previous message: Chris Evans: "Re: smbmount problem?"
Next in thread: Jess Kitchen: "Re: Minor hole in "cxhextris" on certain Linux."
Reply: Jess Kitchen: "Re: Minor hole in "cxhextris" on certain Linux."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:13 PDT