-------- Original Message -------- Subject: buffer overflow vulnerability Date: Tue, 22 Jan 2002 05:00:49 +0100 From: Bernhard Kuemel <darsieat_private> Reply-To: bernhardat_private To: bug-gnu-chessat_private Hi bug-gnu-chess! gnuchess contains a buffer overflow vulnerability that may lead to arbitrary command execution if an attacker is permitted to send commands to gnuchess remotely via the internet. ---------------------------------------------------- bernhard@bb:/usr/src/gnuchess$ gdb ./gnuchess (gdb) run Starting program: /usr/src/gnuchess/./gnuchess GNU Chess v5.02 Transposition table: Entries=1024K Size=32768K Pawn hash table: Entries=384K Size=18432K White (1) : AAAAAAAAAAAAAAA1234567890 Program received signal SIGSEGV, Segmentation fault. 0x35343332 in ?? () ----------------------------------------------------- In file cmd.c: 65 void InputCmd () 66 /************************************************************************* 67 * 68 * This is the main user command interface driver. 69 * 70 *********************************************************************** 477 /* everything else must be a move */ or e.g. malicious input 478 else 479 { 480 ptr = ValidateMove (cmd); In file move.c: 500 leaf * ValidateMove (char *s) 501 /************************************************************************* 502 * 503 * This routine takes a string and check to see if it is a legal move. 504 * Note. At the moment, we accept 2 types of moves notation. 505 * 1. e2e4 format. 2. SAN format. (e4) 506 * 507 *********************************************************************** 508 { 509 short f, t, side, rank, file, fileto; 510 short piece, kount; This is the reason for the overflow: 511 char mvstr[10], *p; ^^ 512 BitBoard b; 513 leaf *n1, *n2; 514 524 p = mvstr; 525 do 526 { 527 if (*s != 'x' && *s != '+' && *s != '=') The overflow happens here: 528 *p++ = *s; ^^^^^^^^^^ 529 } while (*s++ != '\0'); You may eliminate the vulnerability by defining 511 char mvstr[64], *p; since you limit the input to 64 bytes in cmd.c: 120 if (fgets (inputstr, 64, stdin) && inputstr[0]) 121 inputstr[strlen(inputstr)-1] = '\000'; Please tell me when you will release a fixed version so I can announce the vulnerability in the bugtraq mailinglist. Please respond within reasonable time or I will publish the vulnerablity before you release a fixed version. Bernhard -------- Original Message -------- Subject: Re: buffer overflow vulnerability Date: Tue, 22 Jan 2002 11:31:21 +0000 From: Simon Waters <Simonat_private> Organization: Eighth Layer Limited To: bernhardat_private References: <3C4CE3F1.B7AD5001at_private> Bernhard Kuemel wrote: > > gnuchess contains a buffer overflow vulnerability that may lead to > arbitrary command execution if an attacker is permitted to send > commands to gnuchess remotely via the internet. This specific problem was identified by the current maintainer and is fixed in the 5.03beta release which is available on the GNU ftp site. The GNU chess 5 code base was not written with security as a prime goal as it is intended to be run locally on the users own computer and does not provide a network interface. Other problems of this type are thought to exist in the 5.03beta code base. Since GNUchess has no Internet interface built-in, people wishing to connect GNUchess to the Internet should look at the features of the interface they use to protect GNU chess from abuse. The maintainer uses "Zippy", from Tim Mann's xboard (www.tim-mann.org), which password protects the ability to issue commands remotely (Disabled by default), and appropriate settings in FICS (freechess.org), to prevent inappropriate data being supplied to the GNUchess executable. FICS itself is quite restrictive on what data may be entered. The development version of GNUchess includes substantial minor technical corrections of the code over and above 5.03beta already (Thanks largely to lclint, and the many contributors who gave freely of their knowledge and time) which may be of interest to people concerned by this buffer overflow. Thank you for your report, Simon Please send correspondence on this matter to; bug-gnu-chessat_private Please include the main body of this response in any Bugtraq release. Please send a copy of any such announcement to the gnu.chess newsgroup, the rec.games.chess.computer newsgroup may also be interested.
This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 12:40:03 PST